Offense Wins Games…Defense Wins Championships: Tips to Build Your Security Strategy. Part Three – Post-Game Show

By James Christiansen ·

The preparation took months and a lot of blood, sweat and tears went into reaching the championship game. It’s over in a blink. The fireworks go off, trophies are handed out - and you hear it all from a silent locker room. 

Part one of this series was all about the preparation. You studied your opponent’s films, optimized your bench and created your playbook. Game day came along in part two. You and your team had to make game time decisions based on your rival’s actions. You had done everything right to prepare and execute on your plan. But in the final 30 seconds of the game, your head coach decided to throw a slant pass on the one yard line despite the fact that you have the best running back in the league. Game over. You’ve been breached. 

It has taken all of us some time to dissect what went wrong – the remediation plan, the internal and external communications strategies, and the plan going forward to the next season. In the third and final segment of this blog series, we are live from the post-game show, reporting on the steps that need to be taken after a breach has occurred. 

Part 3 – Post-Game Show

After a loss you ask yourself, “Where did we go wrong? How do we make sure this doesn’t happen again? How do we deal with the negative press and our upset fans?” The time has come to initiate your incident response plan. 

Identify Clear Areas of Failure 
Review your film to figure out where you went wrong through root cause analysis. Break the game down play-by-play; analyze the data for the events and gaps that led to the failure. Then, identify the factors that should be addressed to reduce the risk of future incidents. 

Prepare to Answer Questions 
Questions are going to be coming your way, so be ready to answer the hard ones. Pulling from our How to Survive Breach Failure blog, be sure to ask yourself and team, “Where did we go wrong? What has been affected? How do we communicate internally and externally? How do we measure the success of our IR Plan? Are there regulatory or compliance requirements that specify how soon after a suspected breach we must report the incident?” And get ready to answer, “Why am I paying you? How in the world did you let this happen?” Stay calm; don’t let the negative energy drive emotional decisions. Stick to the plan. 

Update the Game Plan
Learn from the loss or the win. Don’t get complacent or go back to doing the same thing. Look for inefficiencies in your people, processes or technology and optimize to win the next season. Adjust your plan based on the lessons learned and then communicate to your team, giving special attention to those who didn’t follow the process. Upgrade any faulty technology. Prepare for the draft; get ready to make personnel changes or modifications to your players’ training regiments. Consider if equipment is needed or missing, and validate your needs for budget approvals.  

Team Huddle
After a breach, bring your players together; after all you are still a team. Hold an official debrief with your team and any executives that must be engaged to review what has happened, the effect, the improvements that will be addressed, and how future incidents will be reduced to lead to success. The post-mortem review is important regardless of whether or not you won this game. True leadership is shown by your actions after the game.  Prove that you have the ability to be gratified by the good plays and learn from the bad ones.  

Communicate to Your Fans and the Media
You have the responsibility to communicate to the public, your company stakeholders and employees. Be sure to include the appropriate channels to ensure proper, relevant and impactful communication. Be prepared with your legal team to address legal activity as appropriate. Your brand is vital, and your fans and the media drive your reputation.  Be sure to take the communication very seriously, appear confident and act deliberately – not panicked or emotional. They are counting on you for another season. It is important they trust you to lead the team to victory next year.

Prepare for the Upcoming Season  
You have documented your mistakes and lessons learned. You met with your team to discuss the problem areas and the plans for improvement. You followed your subscribed incident response (IR) plan and continue to optimize your process, personnel and playbook. It is time to get back to work – looking to the next season. Be sure to keep a sharp eye, the enemy is coming after you again. Watch out for new threat actors and the up-and-coming threats; the season will come again and that championship game will be back within reach. 

In this three-part series we dissected the pre-game plan, game day and post-game. In the pre-game we prepared our team, studied our films and those of our opponent’s offense. We built our playbook and our IR plan in case something went wrong, and we optimized our bench with the best people, processes and technology. On game day, we warmed up and were ready to execute on the plan with agility, playing by the rules, protecting our end zone and preparing for a comeback. No matter the preparations or the game plan execution, it’s not “if” or “when” a breach will happen, it’s “where” you have been breached. In this final part of the series we executed on our IR plan, updated and refined.  

While the theme of these blogs used football as a fun way to think about our security strategy, the subject is very serious. With mega breaches becoming common, it is easy to become complacent with “breach fatigue.” As a profession we need to continue to challenge ourselves each day to get better by improving our defenses, gaining visibility into our systems and leading with incident response management.