“You mean to tell me,” complained one executive I worked with, “that after all this work, after endless hours of assessing, valuating, cataloging, classifying, testing, planning, deploying, and educating…now I have to develop an incident‐response plan on top of it all? You'd think we'd be protected to the max!” He groaned. “Can't I at least farm it out?”
“Well, that depends….”
I call this incident‐response planning despair, the dreaded IRPD! It's dreaded partly because it comes toward the end of developing a cybersecurity program, and partly because it is so anticlimactic. It is true that a lot of work, a lot of hard work, has brought you to this point. Now, you are asked to develop a plan for when all your work has failed. Despite it all, an incident has happened, and you need to have a plan to pick up the pieces.
In the 2015 movie The Martian, the main character teaches a group of aspiring astronauts. He tells them:
…At some point, everything's gonna go south on you…everything's going to go south and you're going to say, “This is it. This is how I end.” Now you can either accept that, or you can get to work. That's all it is. You just begin. You do the math. You solve one problem…and you solve the next one…and then the next. And if you solve enough problems, you get to come home.
Honestly, if there is a better description about what an incident‐response plan really looks like, I have not found it!