What does incident management mean to your board members?
There are numerous frameworks, compliance requirements, and industry practices that provide guidance on what an incident response process should include. For example, the Federal Information Security Management Act (FISMA) provides requirements on numerous topics for government agencies and those working with government agencies. These requirements are largely in line with guidelines from the National Institute of Standards and Technology (NIST). Such requirements and guidelines can be a good place to start with your plan, and you’ll want to add industry specific guidelines as well as any internal requirements that already exist in your organization. Does your board know what NIST or FISMA suggest you should do? Board members will most definitely care when considering the expenses of hiring outside counsel and consultants to prepare before a government agency arrives to ask “just a few questions”.
In a succinct manner, you will need to demonstrate to the CEO that your approach to incident management:
- Is based on industry accepted practices.
- Exceeds regulatory requirements.
- Will be better handled than how your competition handled it.
- Aligns with expectations from the board.
Implementing an industry standard methodology for incident response is an absolute necessity, regardless of the size or complexity of your organization. Simply “having a plan” won’t meet the expectations of the CEO or board members, as they likely are unfamiliar with FISMA and NIST. Miscommunication and misalignment of board and C-level views on defining, managing, and remediating incidents will add to confusion, stress, and could increase your company’s exposure.
A well thought out plan, based on industry standards and then well communicated to the organization, offers the best path to resolving the incident. You should know the answer to the question “what does incident management mean to our board members?” You also need to ensure that management knows what to do when an incident occurs. If your only opportunity to address the group is at a board meeting, you probably know that time allotted to topics during board meetings is always at a premium, and there are numerous agenda items competing for the time not already allocated. That makes it all the more important to clearly and concisely communicate and align expectations.
If an incident does occur, be ready for questions like “What caused the incident?; Were we aware of the risks?; What actions will be taken to prevent it from happening again?” This is where a governance, risk management and compliance (GRC) platform can shine, by correlating data points and reporting facts clearly and concisely to stakeholders. Your GRC platform will not only help you create and communicate your plan, but also help you prepare for the next questions your CEO and board are likely to ask, by allowing you to capture the relationship of the underlying data points for causation, mitigation, and remediation and easily present them.
Answering a few questions posed by the CEO doesn’t get you off the phone. But anticipating the subsequent questions and having the data to back up your answers readily available, that may just get you back to dinner before it gets cold.