How to define a security incident

Do we need to do a better job of understanding exactly what a security incident actually is? Davey Winder takes a look...

The really big question hiding in amongst all of this is do we actually need to define what a security incident is in order to secure the enterprise? 

I asked Amichai Shulman, CTO Imperva, who said a definite "Yes" and argued that the enterprise cannot "just place equipment and hope for the best."

The same question aimed at Paul Boam, operations director of data, ICT and security consultancy, Auriga (who was invited to develop Parliament's first Information Security Policy by the Director of Parliamentary ICT) garnered a different answer. "No," he says. "The definition of a security incident is irrespective of the corporate risk management stance you choose to take and the underlying enterprise architecture that supports your organisation's business process."

If anyone could provide the definitive answer then surely it would be Brad Cox who has held a number of roles within the UK Ministry of Defence including operational lead in the Defence Computer Incident Response Team. His answer wasn't what I expected though. "The simple answer to the question is no," Cox says "and yes."

Advertisement
Advertisement - Article continues below

Thankfully he did explain this ambiguity further. "A bastion defence focused entirely on preventing or rapidly curtailing cyber attacks, with no view on learning and improving, is likely to be of limited and decreasing value over time," Cox claims. "To secure an enterprise' implies that a secure' enterprise is a static and enduring state to which organisations should aspire. Sadly, that doesn't reflect the reality of security in cyberspace - nor any other space for that matter."

So, to sum up then, has it been possible to come up with a clear and broadly agreed definition of 'security incident' as it applies to the enterprise space after all this digging and debating? I think it has, and that's a good job as Sun Tzu famously said "If you know the enemy and you know yourself, you need not fear the result of a hundred battles."

Or to put it another way, you can't defend what you can't see "or understand" as Jonathan Martin reminded me. In order to understand we need to define and Kurt Hagerman came up with the most rounded blanket definition methinks: "A security incident is any kind of action that results in a change to a known good state."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019