Skip to main content

Featured

Preparing for the Worst with an Incidence Response Plan

Every organization must have an incidence response (IR) plan that will handle preparation, identifying the start of an incident, recovering from it, restoring normal operations and support sound security policies.

With any cybersecurity incident, security teams will face uncertainties and chaotic activities. In such a high-pressure environment the risk of not following proper incidence response procedures becomes high and limiting the damage becomes elusive.  It is essential that CISOs must institute a through incidence response plan that enables clear thinking and taking pre-planned steps that will define the loss and prevent business impacts from occurring.

What makes up a sound IR plan? There are several steps when putting together an actionable IR plan, at the high-level preparation, detection, investigation, containment, eradication, recovery, and monitoring are critical fundamentals in a program.


NIST 800-61 Incidence Response Life Cycle
Getting Prepared CISOs should always pre…

CISOs Are Constantly Confronted With Conflicts of Interest


Corporations, government agencies or individuals may be quick to throw ethics out the window when there’s an extra buck to be made. Some of these conflicts of interest are overt, while others are difficult to recognize. CISOs are constantly challenged to identify patterns that might put them in a morally compromising position.

The most common conflict of interest arises when an employee working for one company freelances for a competitor. Another type of conflict results from nepotism, when one or more employees is related to a company manager or executive. These are the most obvious examples, but other instances, such as C-suite friction and negative publicity, are subtler and usually intrinsic.
Even innocent interactions between two people at a conference or on social media can lead to termination of employment or legal action if both parties are not careful. It’s difficult to keep track of every potential problem, but IT leaders can save themselves a lot of headaches by simply knowing what kinds of issues commonly lead to contention.

Stifling Whistleblowers With Gag Rules

Chief information security officers (CISOs) must manage conflicts of interest among their board of directors and other departments throughout the organization. Most employees blindly trust their CISO’s decision-making skills and don’t even think to challenge them. But consider the problems that might arise if a board member favors a particular vendor because he or she holds a stake in that company or stands to redeem an undisclosed incentive in the future. This is also why employees are often pressed to sign non-compete agreements.

Some companies go so far as to establish gag rules that prevent employees from publishing articles or books without explicit approval. A Google employee even filed a lawsuit claiming that the company breached California labor laws by using confidentiality agreements to run what essentially amounts to an internal “spying program.” The tech giant, according to the lawsuit, even forbid employees from writing novels about “someone working at a tech company in Silicon Valley.”
If Google is found guilty on all violations specified in the lawsuit, it could face fines up to $3.8 billion. The allegations illustrate how a company might use its confidentiality rules to prevent whistleblowers from disclosing illegal activities to regulators and law enforcement.

Corporate and Government Conflicts

CEOs are often motivated to engage in conflicts of interest with government agencies, and vice versa. For an example of this, look no further than the lobbies influencing federal, state and international lawmakers to bend legislation in their favor. Big Tobacco, for example, sits on the governing committee for tobacco control in the Philippines. Now, imagine how this conflict might negatively impact things like health care or product distribution.

Ironically, these global corporations typically have ethics and governance programs, yet turn a blind eye when these principles conflict with opportunities to establish dominance in the marketplace. For the CISO, naturally, this presents a moral quandary.

Managing Conflicts of Interest

A CISO should always consider the job from the outside looking in. Corporations don’t take conflicts of interest lightly, and it’s important for security leaders to make sure their actions align with the company’s business goals and code of ethics.

Restrictions relating to conflicts of interest vary from industry to industry. Independent contractors, for example, can use skills obtained elsewhere for personal gain because they are self-employed. In a corporate setting, however, employees are bound by the company’s stipulations related to conflicts of interest.

Before you engage with another organization or participate on social media, ask yourself:

  1. Are you treating specific co-workers, relatives or friends differently because of the nature of those relationships?
  2. Are you using skills you developed at work for personal gain outside the company?
If the answer to either of the above questions is yes, you may be in conflict with the interests of your company. Recognizing these situations will help you avoid them.

Comments