Not only does the incident response plan lead to better cost estimates, but it will also lead to a quicker return of network functions. “Practice, practice, practice,” Draeger says. “Absolutely practice every step of your incident response plan and whatever your critical processes are. Be able to run manually. Be able to run on paper. If it requires that a form is printed out, have a stash of them somewhere. Whatever you need to do to run without your network until you can get your network up, have that system already in place.”
Stephen Boyer, founder and chief innovation officer of Bitsight, tells CSO that one big handicap CISOs face is the lack of a common method for calculating incident costs. CISOs can rely on various risk management models to calculate the expected costs of some variables that make up breach costs, including the widely used Fair Institute methodology or the Monte Carlo Simulation, to name two of the most frequently used methods.
“But, there’s not a universally accepted standard for measuring and predicting the losses,” Boyer says. Miscalculating the costs can significantly damage a CISO’s reputation or even lead to job loss. “If something comes back and we have an annual expected loss of $50 million, maybe it’s $54 million, maybe it’s $48 million. But if then something comes back and you have a loss of $60 million, it’s like, ‘Hey Steven, you’re an idiot.’”