Post-Incident Review is Weakest Link in Risk Management

Anthony Freed
By | November 26, 2012

Posted in: Network Security Trends

As organizations seek to analyze the return on security investments in an effort to maximize impact in the face of limited budgets, many may be spending valuable resources to address symptoms while altogether missing the opportunity to mitigate the root problems that put systems and sensitive data at risk, according to a recently released report by the Information Security Forum (ISF).

The report, aptly titled "You Could Be Next," looks at what the ISF has identified as common problems regarding the lack of adequate post-incident analysis by most organizations, which in turn leads to an incomplete risk management posture and continued vulnerabilities.

“Organizations cannot avoid serious incidents, and while many are good at incident management, few have a mature, structured approach for analyzing what went wrong. As a result, they’re incurring unnecessary costs and accepting inappropriate risks,” said ISF CEO Michael de Crespigny in a press release on the report.

The ISF, which was founded in 1989, is a not-for-profit cybersecurity advocacy group that draws on the experience of its world-wide membership of Fortune 500 and Forbes 2000 companies in order to identify key issues involved in building more robust information security and risk management best practices.

The authors of the study found that an over-emphasis on high-profile security threats, which the report describes as "black swans," may lead many to waste money on mitigation efforts that in the end have little impact on improving the overall risk profile of the organization.

While poor incident management in the face of a data loss event is one of the issues the ISF report identifies as being potentially detrimental to organizations, it also found that the absence of effective post-incident analysis was key to those organization's inability to properly identify root causes of an event and take the appropriate actions to reduce the risk of future events.

The study also found that most companies also suffered from an inadequate ability to properly assess the true costs incurred after a significant security event. Noting that while some losses are immediate and more easily calculated, the ability to determine the "long-term or intangible costs" associated with an event is a much more difficult process, leaving organizations blind to the actual impact of an event on the company's bottom line.

“Without a proper impact assessment, businesses don’t know the incremental, long-term or intangible costs of an incident – but those costs still hit the bottom line, costing the organization money. Utilizing our You Could Be Next report, executives can better understand how to respond more quickly and develop the resilience needed to survive the impacts from today’s complex security threats," de Crespigny explained.

You May Also Be Interested In: