Photo Credit: Arvada Center Flickr via Compfight cc
Samuel Beckett’s Waiting for Godot is an absurdist play in which its two main characters, Estragon and Vladimir, wait patiently beside a tree on a countryside road. They await the arrival of a character named Godot, who never actually arrives during the course of the play.
While they wait, Estragon and Vladimir engage in a variety of discussions on topics including existentialism, religion, society, war, politics and the human condition. One of the key themes is their indecision as they contemplate, plan, and procrastinate in intellectual paralysis.
Over the past few years, there have been a growing number of large-scale breaches at global organisations that were thought to have mature and professional information security functions. Much planning and waiting occur in preparation for a breach, which may never occur. This often creates a divide between the business and information security leaders as to how much should be invested in technical controls for protection and the resources required to implement and manage them.
The indecision of our characters as they wait for Godot is like the attitude of organisations across the globe where fundamental security activities and controls are challenged, viewed as business ‘blockers’ or simply not implemented robustly enough to withstand what are often, basic attacks.
Five quotes from the play can help clarify key principles that organisations should adopt when preparing for a breach.
- “Let’s go. / Yes, let’s go. (They do not move)”
Obtaining board or C-Level support and mandate to build a response team and prepare for a breach across the organisation is critical. This must be made a priority and should have cascading objectives to ensure activities are followed through. Organisations should plan for a breach by taking a view that systems are already compromised rather than doing nothing until they suffer a breach.
- “Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better.”
Developing a Cyber Incident Response Plan (CIRP) on paper is a minimum requirement, but a lack of thorough testing using real-world scenarios may result in embarrassment when a breach occurs. These tests strengthen an organisation’s ability to respond effectively to a breach under stressful conditions and as a team. They help identify areas to improve and encourage maintaining up-to-date plans, and can also provide internal and external stakeholders with a perspective on the maturity of the organisation’s resilience. In summary, test, test and test again.
- “We are not saints, but we have kept our appointment”
Appoint a leader of a breach team and identify all key individuals required to manage and lead a response team. The team should include executive leaders from the C-Level, forensics, legal/privacy counsel, HR, technical IT and security experts, and public/media relations. It should also involve all key third parties such as IT/business service providers and law enforcement. All should be aware, understand their roles and responsibilities and participate in planning and testing activities on a regular basis.
- “Have you not done tormenting me with your accursed time”
Many organisations have shown themselves to be very poor at publicly communicating breaches in a timely manner. Organisations should ensure that all essential facts have been verified before communication to the press. Under new GDPR requirements, failure to notify correctly and without undue delay can lead to potentially significant fines, and having a strong communication strategy and plan is imperative.
- “Habit is a great deadener”
In many recent high-profile breaches, the root causes were identified as failures of basic but fundamental security process, for example, patching systems and cloud-based servers being unprotected, leaving data vulnerable. Lack of basic cyber hygiene seems more likely to be the root cause of a breach rather than a highly sophisticated attacker or nation state, but it goes without saying that these types of error cause significant damage to businesses.
Business leaders have a Waiting for Godot conundrum to address – do they invest in cyber security and plan for a breach, or do they simply wait for one to occur?
