Several years ago, I transitioned from IT into cybersecurity. I came from a field characterized by mature processes and a rich knowledge base surrounding IT delivery. I entered a largely unstructured and chaotic field where cybersecurity and compliance were synonymous in many organizations.
At that time, the cybersecurity field was primarily driven by compliance and vendors promising silver bullet solutions to emerging threats. Furthermore, I realized that stakeholders often involved in decisions about incident response investments had very little understanding of the threat landscape and the required capabilities to manage cyber events.
When I transitioned full-time into an incident response role, I understood the causes of the problems described above. Incident response, and cybersecurity to a degree, heavily rely on tribal knowledge. This realization was not a surprise. In my experience, to become a competent cybersecurity professional, you need to understand the end-to-end business process and how vulnerabilities in the various components of the process lead to risk. An understanding of the various technologies that underpin the process and their inherent risks is vital. This knowledge is difficult to accumulate. It requires the right type of environment, critical thinking, continuous learning, and passion for the field, as cliché as it may sound.
Individuals with the right combination of personal characteristics, skills, and experience are rare and pass on their expertise in the form of tribal knowledge. This tribal knowledge, in turn, remains mostly undocumented. Although many standardization bodies, such as NIST or ISO, attempted to standardize specific aspects of incident response, their prescriptions are often high-level and hard to implement optimally.
I also noticed that organizational leaders often perceive incident response as a tactical function rather than a crucial element in managing residual risk when other controls fail. Consequently, adequately implemented lessons learned and continual improvement are rare. Moreover, many organizations primarily focus on security products when building incident response capabilities without appropriate investments in people and processes.
Cyber Breach Response That Actually Works is my attempt to help leaders understand incident response and bring organization into an inherently chaotic field. By writing this book, I wanted to equip leaders and cybersecurity professionals with the necessary information to build sound incident response capabilities and manage residual risk associated with cyber threats. The information that I share is primarily based on my consulting experience with Fortune 500 clients and responding to large-scale breaches.
I hope that my book leads to a better understanding of the field among leaders, cybersecurity professionals, and anyone who has an active interest in incident response. Moreover, I hope that my effort can help further standardize and evolve the incident response field from a process perspective. I am not saying that I have all the answers. On the contrary, I am open to constructive feedback, exchanging ideas, and collaborating to help the incident response field mature. We all share a common objective; that is, to minimize the impact of cyberattacks and protect vital assets.
I also wanted to make incident response accessible to those who have an active interest in incident response, but their primary function within the enterprise is not incident investigations. Those stakeholders include legal, compliance, risk managers, HR, business unit leaders, technology professionals, and anyone who may need to contribute their expertise during an investigation. For this reason, I explain incident response concepts in simple terms and focus on how those concepts relate to business objectives.
Cyber Breach Response That Actually Works addresses the following topics:
Identifying drivers for incident response and how to create a sound strategy
Building a capable incident response team including cross-functional engagements
Increasing cyber resilience through planning and preparedness
Building technology capabilities to support and accelerate investigations
Investigating and remediating both small and large-scale incidents
Legal and regulatory concerns surrounding investigations
Regardless of what your role is within your organization, I hope that you will find the book informative and will apply the concepts in practice. Feel free to reach out to me if you have any questions, comments, or constructive feedback.