Another question to consider: Is there a clear plan for response, including incident and crisis communication?
The Driver Behind This
Incidents are going to happen, it’s not a matter of if but when. Whether it’s a result of you being placed in the crosshairs by a sophisticated adversary or an employee who has a laptop with personal information stolen out of their locker while at the gym, the organization’s leadership must be engaged. Understand, this is not an IT function, this is a joint effort and means having the appropriate authoritative representatives available and ready. Ensure general counsel is engaged to address any regulatory or privacy implications, the corporate communications lead is effectively communicating with the media and identified staff are sufficiently trained to answer questions from concerned customers. Engage with the appropriate team members from IT Operations, Information & Cybersecurity to understand what happened from the technical aspect; as well as internal audit teams to understand what control weakness allowed the incident to occur in the first place. Based on the type of breach, you may have to notify third parties such as Attorney Generals, specific payment card brands (e.g., Visa, MasterCard) or a federal agency (i.e., Department of Health and Human Services).