A reaction must be given to a cyber-attack to guarantee the continuity of the organization. I see two main methods of orchestrating such a reaction: centralized and decentralized.
Reacting to a cyber-attack is more commonly known as incident response. Incident response is an essential part of the business continuity, but that does not make it any simpler to prepare. Many organizations struggle to respond to a simple question of who should have the authority during such a scenario? Should the executive board have the authority? Should the CFO still be making the call on where to spend the money? Or should we place our trust in the cyber-defense team?
The importance of placing authority is reflected in the responsibility to orchestrate the response. This orchestration power also determines who initiates the state of emergency, effectively starting the incident response process. Once the process has been initiated, this authority will need to make decisions on how to deal with the attack. To simplify, the placement of the authority we can consider two primary options: centralized and decentralized authority.
|What is centralized authority?||What is decentralized authority?|
Both centralized and decentralized structures should follow the incident response lifecycle. When we ignore the difference in resources (such as tooling or budget), we see little difference in effectiveness in performing the required actions. However, there is a difference in efficiency. This difference becomes clearer when looking at cyberattacks that target the whole organization. This is an important consideration, as an attacker is looking for a vulnerability in an organization, not a location.
Additionally, we have observed that incident response initiatives often start off as local initiatives and therefore take on a decentralized organization structure. Driven by a necessity to respond to an active attack, these initiatives are often championed by knowledgeable IT staff.
|Centralized authority||Decentralized authority|
There are many differences to consider in both centralized and decentralized authority structures. An important consideration is that of holistic response versus adaptiveness. Moreover, the effectiveness of the chosen structure is more dictated by tooling and budget. The perfect solution for any specific organization will be somewhere in between. Hybrid solutions, where localized teams report to the global team, are more commonplace.
To summarize the benefits and drivers of both options, I present the following table:
While this analysis has been brief, it shows two extremes on how to organize incident response organization, specifically authority. As the field of cybersecurity is rapidly changing, so are response strategies. To best adapt to this changing world, you should consider what best fits your organization and what risks you are willing to take.
Topics not touched upon in this paper are additional requirements, such as regulatory compliance, technical infrastructure or require response procedures, all of which may impact the preferred solution for your organization.
This blog does not present any simple solutions to today’s challenges but should be considered a starting point for the many factors that should be considered during incident response.
Visit Capgemini Cybersecurity for more information about our services.