This post is the first in a six-part series based on an interview with Jason Smolanoff, Senior Managing Director, Global Cyber Risk Practice Leader, and Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk practice. The 30-minute interview was conducted by Legal Week’s Dominic Carman.
Jason kicked off the discussion by outlining the assumption of breach theory: i.e., any attacker with enough time, commitment and resources will eventually get into a network. The measure of any good information security strategy, then, is the ability of a company to rapidly detect when an incident happens and effectively respond to it. But, Jason explains, time to detect tends to be anywhere from 8 to 11 months from the initial network penetration. And, companies can take several years to disclose the breach publicly.
Increasingly, the net result is the general counsel’s office being responsible for leading the response plan, coordinating with all the internal teams and communicating with regulators and law enforcement as needed.
Jason advises organizations to determine what the company’s narrative will be when (not if) an incident occurs and to prepare it well in advance of the incident actually happening. A few of Jason’s suggestions for what you should include in your company narrative follow:
- “We have performed a threat-based assessment focused on the type of data we store and transact.”
- “We’ve taken reasonable measures to protect our data from the threats that are most prevalent to our type of business.”
- “If an attacker does get into our network, they would have to take extraordinary measures to bypass our security.”
Operating under the assumption of breach theory, your team can build processes, training and contingencies in order to quickly detect and respond to any attack.
Read the full Q&A transcript
Jason: The position that we take when we go into any kind of investigation or proactive work to help a client create a defensible information security strategy is the “assumption of breach theory,” which says any attacker with enough time, commitment and resources will get into a network. And so with that said, the measure of a good information security program is the ability of a company to rapidly detect when an incident happens and effectively respond to it. There have been several major reports that have come out over the years and what you find in them is that the time to detection tends to be anywhere from 8 to 11 months before many companies figure out when an attacker initially penetrated that network.
Dominic: With companies sometimes taking several years to disclose the fact the breach has happened.
Jason: Exactly. So, when a regulator or when a client takes a look at that and does a look-back on it, the GC is going to own responding to that look-back. And when they do, it's a very hard fact to defend. So, there's two messages that we like to help clients prepare for in advance. One is what your narrative is going to be in the event that an incident happens, and second, you want to have that narrative prepared in advance of the actual incident. So, using the assumption of a breach, you know what's going to happen, you want to be able to detect and respond quickly. And so, you want your narrative to say something like this, "We as a company performed a threat-based assessment and we did this based upon the type of data we have, the business we're in, and the kind of data we're storing and transacting. And, we've taken reasonable measures to protect our data from the threats that we think are most prevalent to us. And if an attacker does get into our network, they must have taken some extraordinary measures to bypass our reasonable security."