CISOs who fail to plan for breaches before they occur might need to look for another career, says panel


SAN FRANCISCO--Chief information security officers who fail to plan for data breaches and other security incidents before they occur will not be CISOs for long. That was the conclusion of a panel of CISOs and other IT security experts at the RSA Conference being held here this week.

"Have your plan in place and seize the moment. That could be a career defining moment for you. Or run around like your hair is on fire. That could be a career defining opportunity as well," says Rocco Grillo, managing director and global leader of incident response and forensics investigations with Protiviti.

Kostas Georgakopoulos, U.S. regional manager for IT security at UBS, observes: "If you don't have an incident response plan, start one now. Understand your contracts. They are going to define the parameters that you will need to address for an incident response plan. You will need third-party support, whether it is on the forensics side, on the pen-testing side, or on the threat and risk assessment side, you will have clients and regulators asking for incredible things. Go through that exercise and plan for the worst because when it does occur, you will be ready for it."

Roland Cloutier, chief security officer at ADP, advises CISOs to keep their cool during security incidents. "Overreaction is oftentimes worse than no reaction. Remember that, as people will be looking to you for leadership and that is what you are being paid to do."

In addition, CISOs should learn the techniques of incident response. "You don't need to know the technologies right away, you'll learn that over the years. But you need to learn incident response right away," Cloutier notes.

Bill Downes, CISO with The Hartford Financial Services Group, says that breach notification comes from internal and external sources. Internally, "you want to make sure you normalize your network. You know what your network looks like on a day-to-day basis. So if there is any variance, that would be an indicator for you and your team that something is going on."

Downes adds: "Our next frontier is moving from normalizing your network to the next level. What is normal behavior of someone going into your applications? Those are things we are working on now."

Related Articles:
7 deadly sins: The most dangerous new attack techniques for 2014
Some IT security pros would lie to CEO about cyberattack
Infographic: Biggest data breaches of 2013