Recovery Improvements

Because recovery is the final stage of incident management, a retrospective at this point can be more complete. In addition, from a risk management perspective, recovering from a major cyber incident involves more than restoring the company to its prior state. Instead, a mature cyber recovery program would have a company pick itself up, wipe itself off, and start all over again… not battered and bruised, but from a position of greater strength across the entirety of the Framework’s Identify, Protect, Detect, Respond and Recover functions.

There’s No Substitute for Experience.

Most every major incident reveals something unexpected, and usually not for the better. Capturing these experiences helps bridge the gap between theory and reality, creating a cybersecurity program that combines your company’s analytic intelligence (or book smarts) with its practical intelligence (or street smarts). To receive diverse input, companies might consider asking everyone who had a role in the detection, response and recovery efforts the following three open-ended questions:


• What was unexpected about this incident and the way it played out?
• What would you personally do differently before, during or after a future incident and why?
• Based on this incident, what areas should the company prioritize for improvement and why?

There’s No Substitute for Hard Work.

Organizations should develop an improvement plan using risk principles to incorporate lessons learned and to implement the remedial actions suggested by the forensic investigation. NIST points out that the most important issues may consist of major problems (such as the need to restrict administrative privileges across the enterprise) or individually minor problems that occur repeatedly (for example, an inadequate distinction between low, medium and high-level alerts.) In parallel, corporate leadership should assess whether and how a major incident challenged the company’s prior risk assumptions, and whether they should mitigate or accept any newly identified risks.

There’s No Substitute for Victory.

As with most military campaigns, cybersecurity requires winning the daily battles while keeping an eye on not losing the longer war. In this regard, NIST recommends that organizations divide their plans into shorter-term tactical gains (such as patching systems more quickly) and longer-term strategic gains (such as adopting new security technologies). Through a cycle of continuous improvement, an organization’s cybersecurity efforts will serve as a key enabler for business success, and that spells victory.