TLDR:
Infosec teams must be allowed to fail in order to recover fast from incidents, argues Gartner analysts Chris Mixter and Dennis Xiu. They emphasize the importance of developing recovery plans, working with the business, and rehearsing responses to incidents.
- Gartner analysts advocate for allowing infosec teams to fail in order to recover quickly from incidents.
- They stress the importance of developing recovery plans, working with the business, and rehearsing responses to incidents.
Summary:
Zero tolerance of failure by information security professionals is unrealistic, according to Gartner analysts Chris Mixter and Dennis Xiu. They argue that no amount of effort can prevent infosec incidents, and the quality of organizations’ response is a more appropriate measure of an infosec team’s effectiveness. The analysts emphasize the need for mindset change, as most organizations are immature in terms of their incident response capabilities. They recommend working with the business to develop recovery plans based on tolerable impacts, allowing infosec teams to prioritize investments. Additionally, they suggest extensive rehearsal for recoveries, especially for incidents caused by third parties. This preparation can help to keep infosec teams effective in responding to incidents and reduce the need for heroic actions fueled by adrenaline.
In a later session, Gartner’s senior director of research Christine Lee highlighted the importance of mental health in incident response. She recommended creating structured shifts for incident responders to ensure proper rest, as well as incorporating mental health debriefs into post-incident assessments. Lee also suggested training chief information security officers to detect signs of stress among team members for effective management.
Furthermore, the analysts advocated for infosec teams to acknowledge incidents and continuously improve their recovery routines. This approach, they argue, can help organizations demonstrate their commitment to improving cybersecurity and handling incidents effectively. By reporting small events and honing recovery routines through regular practice, infosec teams can maintain their effectiveness and prevent burnout among team members.
In conclusion, Gartner analysts stress the importance of allowing infosec teams to fail, developing recovery plans, working collaboratively with the business, rehearsing responses to incidents, and prioritizing mental health in incident response. By adopting these strategies, organizations can enhance their cybersecurity posture and improve the effectiveness of their infosec teams.