Chapter 12 Cybersecurity Incident and Crisis Management

CLUSIF Club de la Sécurité de l'Information Français Gérôme Billois, CLUSIF Administrator and Board Member Cybersecurity at Wavestone Consultancy, France

The antivirus console administrator is phoning Maria, the chief information security officer (CISO) reporting to Tom the CEO: “… another virus has been detected. I know we struggle with many incidents like this every day, but this one seems very strange. I’ve never seen it before. It has infected the workstation of a researcher in the R&D lab and it is trying to send loads of data to Internet … the help desk manager just wants the workstation to be reinstalled as soon as possible, saying it’s a common incident and nothing to worry about. …”

Maria interjects: “No. This is now an incident needing our incident management process to kick in. Start sending the virus to our forensics experts, then …”

Cybersecurity Incident Management

One hundred percent protection capability does not exist in cybersecurity. A cybersecurity incident may always occur—whatever the level of investment. However, it is mandatory that the CEO ensure tailored-to-organization capabilities to differentiate low-impact routine cyber incidents from major crises that require prompt escalation to effective cyber crisis management in order to avoid high-impact interruption. This chapter shows the CEO how.

When a Cybersecurity Event Becomes an Incident

There are many definitions for a cybersecurity incident ...

Get The Cyber Risk Handbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.