It was not that long ago that the most senior security incumbent at the time of a data breach was not only fired ignominiously, but torn to shreds by his/her ‘peers’ as being anything from unqualified, to incompetent, to grossly negligent.
They became nothing short of pariahs.
The vestiges of this ridiculous practice are still rife (take BA for example), but things are changing, and we all have a Recital to thank for it:
GDPR Recital 85: “[…] as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it […]”
So almost every organisation that has, until now, swept their dirty little – and some not so little! – secrets under the carpet, must start airing their dirty laundry (I do enjoy mixed idioms). After all, how many data breaches don’t involve some kind of personal data?
Add to this the following requirements and there is no way the senior security person can be sacrificed unless they truly are incompetent or grossly negligent:
- GDPR Article 5(1)(f) – “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)” – This has been a key principle of European privacy for almost 40 years, to not take this seriously now is nothing short of criminal. Literally;
- GDPR Article 5(2) – “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” – The mantle of accountability can only be worn at the highest levels of management/leadership; i.e. Board of Directors / CEO, so if the security person can demonstrate that they have not supported an appropriate risk management framework no blame can be passed down;
- GDPR Article 32(1) – “[…] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […]” – You cannot demonstrate ‘appropriate’ unless you have documented how it’s appropriate. An appropriate security program would do this for you, but very few organisations can truly show how they have aligned themselves to industry accepted good practices (e.g. ISO 27001, NIST, etc).
While the Article 83 administrative fines for data breaches generally fall within the lower range (€10M / 2%), complete disregard of the GDPR Article 5 principles attract the higher range (€20M / 4%). So unless it can be demonstrated at the highest levels of leadership that privacy is taken seriously, supervisory authorities can not only impose significant fines, but can also prevent you from processing personal data (Article 58(2)(f)) until you do.
What every organisation must understand is that eventually you will be the victim of a breach of some sort, and there is a better than even chance that that breach will become public. Those who have done little to mitigate that certainty, and/or are unprepared for when it happens, will be the hardest hit.
Now what if there was a skill-set that allowed organisations to:
- design ‘demonstrably appropriate’ security and risk management programs;
- document the program against industry-accepted good practices;
- minimise both the frequency and impact of security related events;
- lead the incident response process(es) when a bad thing happens;
- provide legal everything they need to report to the supervisory authority;
- provide PR/marketing everything they need to compose the public-facing collateral;
- recover from the incident in time to save the business;
- translate supervisory authority findings into actionable tasks;
- adjust all polices, procedures, and standards for lessons-learned; and
- provide the BoD/CEO the appropriate material to address the shareholders.
Like most roles in security, it’s not one person who should manage all of this as it’s very unlikely that they are good at them all. Not good enough anyway. Just as the CISO function has three distinct but overlapping aspects, the Breach Response Specialist (BRS) will have strengths and weaknesses, but unlike CISOs, the role of BRS is extraordinarily unforgiving.
Sticking to the principle of 3, there are 3 types of BRS:
- The Planner: – The p-BRS comes in at the beginning of an engagement and tells the organisation what it needs. Their job is to design and document a breach response program that does the only thing it’s supposed to; support / enable the business. The p-BRS will organise the first drafts of the Incident Response Procedure(s), the Disaster Recovery Procedure(s), and the Business Continuity Plan, get the CEO to approve/sign them, then implement an employee training program. They must try to think of every detail or the processes will be ineffective.
Of the 3 types, this is the most creative, which often makes them unsuitable to actually run the program. S/he’s Debbie/Danny Ocean in the Ocean’s ‘n’ movies;
- The Executor: e-BRSs put out the fires. They will come at the first sign of trouble, probably with a forensics team to determine exactly what happened, while at the same time plug themselves into the incident response process(es). The output from the e-BRS’s efforts feed directly to the disaster recovery (get back ‘online’), legal (external notifications), and PR (reputational damage control) teams to enact their respective processes. The e-BRS phase ends when the fire is out.
This type is a true people and process orchestrator able to work under extreme pressure and deadlines while maintain a calming influence over panicking clients. S/he’s Winston Wolf out of Pulp Fiction.
- The Finisher: f-BRSs cleans
up the mess. A breach will uncover many things that the p-BRS could not possibly
have forecast, and the e-BRS, lawyers, and PR people had to implement / patch
together on the fly. It is also very likely that the business’s priorities will
have changed depending on the outcome of the supervisory authority’s findings,
both short and long-term. The f-BRS has the skill-set to:
- take to supervisory authority’s findings and translate them into the action items required to resolve them, both technical and documentary;
- take all of the lessons learned from the e-BRS, lawyers, and PR and feed them back into the entire security program. Again, both technical and documentary (especially the BCP); and
- provide the highest level of leadership what they need to reassure key stakeholders everything has returned to a ‘better normal’.
These highly experienced practitioners actually have the hardest job of the three. While all BRSs must have significant experience in both cybersecurity and privacy – which is a rare commodity in and of itself – the f-BRS has to understand in much greater detail how the entire business functions. There’s no movie equivalent for this.
What organisations are in desperate need of – even if they don’t know it yet – are the very people they fired to cover their own arses. Those folks now have a distinct advantage over those who have not yet suffered through a breach. They have experience that no manner of training or education can match.
In fact, I’ll go as far as to say that there are many roles for which NOT having breach experience is becoming a DISadvantage, including the CEO, General Counsel, CMO, CTO, CISO and a host of others. Why hire someone if they can’t help you through something that you know is going to happen eventually?
For security novices or non-techies this all may sound like a new concept, but to security veterans the only part that is [relatively] new in the privacy stuff. Literally 95% of the above is what organisations should have been doing in the first place. The only reason they would need a BRS is because they have been negligent. Yes, negligent.
In terms of availability:
- the p-BRS is the most common as there are many security experts who can develop business continuity programs for you. The only thing that may be missing is writing in privacy requirements;
- the e-BRS is also fairly common, at least from the technical and fire-fighting capability. Unfortunately there are very few who can truly translate from tech to legal-ese and vice versa, especially in terms of privacy law (GDPR). This role will be seen as the breach Rockstar when they have built an appropriate skill-set and earned a good reputation;
- if there are any f-BRSs, I have yet to hear of one, let alone met one. The combination of technical capability and privacy knowledge likely doesn’t exist yet. Maybe this can’t BE one person and is more of a team effort. If so, then you’d better have a really good Governance program to take the f-BRS’s place.
We’ve always had people capable of breach response, but never has the requirement been so high profile.
[If you liked this article, please share! Want more like it, subscribe!]