“Organizations cannot avoid serious incidents, and while many are good at incident management, few have a mature, structured approach for analyzing what went wrong. As a result, they’re incurring unnecessary costs and accepting inappropriate risks,” said Michael de Crespigny, CEO of the ISF. “Without a proper impact assessment, businesses don’t know the incremental, long-term or intangible costs of an incident – but those costs still hit the bottom line, costing the organization money. Utilizing our You Could Be Next Report, executives can better understand how to respond more quickly and develop the resilience needed to survive the impacts from today’s complex security threats.”
Based on insights from the ISF’s global membership, the You Could Be Next report helps organizations implement capability for post-incident review, by addressing the key steps at each stage: impact assessment, root cause analysis and recommendations. Key findings from the report include:
· Risk management is incomplete without post-incident review
· Incidents cost more than is immediately apparent, whether the organization knows it or not
· Organizations may be spending inappropriately
· Over-emphasis on “black swans” can detract from higher value activities
· Resilience should be built around five to seven impact types
· Poor incident management can create damage far beyond the incident itself
· Incidents that result in major impacts do not always have major causes
· In practice, post-incident review is the weakest part of incident management
You Could Be Next is available free of charge to ISF members and available via ISF Live, a facilitated forum for ISF members to discuss related issues and share solutions, along with additional resources including a webcast and presentations. Non-members can purchase a copy of the report by contacting Steve Durbin at steve.durbin@
The ISF is an independent, not-for-profit organization with a membership comprising many of the world's leading organizations featured on the Fortune 500 and Forbes 2000 lists. The organization is dedicated to investigating, clarifying and resolving key issues in information security and risk management, by developing best practice methodologies, processes and solutions that meet the business needs of their members. For more information, please visit https://www.securityforum.org/
Information Security Forum (ISF)
Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.