Proactive Information Security Strategy: General Counsel Beware “Breach Theory”

Proactive Information Security Strategy: General Counsel Beware “Breach Theory”

July 09, 2018

This post is the first in a six-part series based on an interview with Jason Smolanoff, Senior Managing Director, Global Cyber Risk Practice Leader, and Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk practice. The 30-minute interview was conducted by Legal Week’s Dominic Carman.

Jason kicked off the discussion by outlining the assumption of breach theory: i.e., any attacker with enough time, commitment and resources will eventually get into a network. The measure of any good information security strategy, then, is the ability of a company to rapidly detect when an incident happens and effectively respond to it. But, Jason explains, time to detect tends to be anywhere from 8 to 11 months from the initial network penetration. And, companies can take several years to disclose the breach publicly.

Increasingly, the net result is the general counsel’s office being responsible for leading the response plan, coordinating with all the internal teams and communicating with regulators and law enforcement as needed.  

Watch the Video

Jason advises organizations to determine what the company’s narrative will be when (not if) an incident occurs and to prepare it well in advance of the incident actually happening. A few of Jason’s suggestions for what you should include in your company narrative follow:

  • “We have performed a threat-based assessment focused on the type of data we store and transact.”
  • “We’ve taken reasonable measures to protect our data from the threats that are most prevalent to our type of business.”
  • “If an attacker does get into our network, they would have to take extraordinary measures to bypass our security.”

Operating under the assumption of breach theory, your team can build processes, training and contingencies in order to quickly detect and respond to any attack.

Read the Full Q&A Transcript

Jason: The position that we take when we go into any kind of investigation or proactive work to help a client create a defensible information security strategy is the “assumption of breach theory,” which says any attacker with enough time, commitment and resources will get into a network. And so with that said, the measure of a good information security program is the ability of a company to rapidly detect when an incident happens and effectively respond to it. There have been several major reports that have come out over the years and what you find in them is that the time to detection tends to be anywhere from 8 to 11 months before many companies figure out when an attacker initially penetrated that network.

Dominic: With companies sometimes taking several years to disclose the fact the breach has happened.

Jason: Exactly. So, when a regulator or when a client takes a look at that and does a look-back on it, the GC is going to own responding to that look-back. And when they do, it's a very hard fact to defend. So, there's two messages that we like to help clients prepare for in advance. One is what your narrative is going to be in the event that an incident happens, and second, you want to have that narrative prepared in advance of the actual incident. So, using the assumption of a breach, you know what's going to happen, you want to be able to detect and respond quickly. And so, you want your narrative to say something like this, "We as a company performed a threat-based assessment and we did this based upon the type of data we have, the business we're in, and the kind of data we're storing and transacting. And, we've taken reasonable measures to protect our data from the threats that we think are most prevalent to us. And if an attacker does get into our network, they must have taken some extraordinary measures to bypass our reasonable security."

Additional Resources

Learn more with these additional resources—

Jason N. Smolanoff Senior Managing Director, Global Practice Leader, Cyber Risk

Jason Smolanoff is a Senior Managing Director, Global Cyber Risk Practice Leader, based in the Los Angeles office. Jason, who brings more than 16 years of federal law enforcement and information security experience, has played a leading role in some of the most significant cyber security investigations in history. Over his career, he has specialized in supervising and investigating sophisticated computer and network intrusions conducted by state-sponsored organized crime, hacktivists, and insider threat actors, often developing and maintaining productive partnerships with international intelligence and law enforcement agencies as well as private industry.

Read More

Jason N. Smolanoff
Andrew Beckett Managing Director, EMEA Leader, Cyber Risk

Andrew Beckett is a Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice. Andrew began his career at GCHQ where he held a variety of roles including head of the branch responsible for providing cyber security advice to government departments and penetration testing.  He also served in the Organisation for the Prohibition of Chemical Weapons (OPCW). This is an International Civil Service organisation operating under the auspices of the UN where Andrew was the first head of the Office of Confidentiality and Security and charged with setting up this team. Andrew went on to run his own commercial consultancies before joining Airbus Defence and Space in the UK as the head of Cyber Defence, a role he filled for five years before joining Kroll. Andrew is a visiting professor of Cyber Security at the University of South Wales.

Read More

Andrew Beckett