You can't predict a security disaster, but you can prepare for one. The recent revelation that an intruder stole more than 8 million Visa International Inc., MasterCard International Inc., American Express Co. and Discover credit card account numbers should fan the flames about the limits of IT security.
That's because even the best IT security works only up to a certain level. Once past that level, your defenses will be breached, either by a technical gaffe or a human miscreant. When that happens, you must be able to put into action a preparedness plan.
The plan should include the active participation of your corporate communications, legal and customer relations departments as well as your executive committee. In the wake of a breach, these people will all be turning to you, the IT folks, to tell them what went wrong and what you're doing to fix the problem. They'll also be asking you for damage assessments and reports on third-party contacts (because so much security work has been farmed out, to white-hat hackers, for example). For these and other reasons, you must have an internal and external communications plan ready for security failures.
Before you ever have a security breach, assemble the core group of specialists who are trained and prepared to deal with IT security as part of their job. Determine who among them are best suited to communicate internally with users, externally to customers and suppliers and, possibly, even to the media. Then train them. And have backup ready in case your spokesmen are away when a crisis is upon you.
Prepare procedures to alert these key contacts on what information will be available, how to get it and who will be responsible for it. Make sure there's a process for vetting information.
Match the information with the audience. In the recent breach, the credit card companies didn't publicly reveal the name of the payment processor whose security was compromised, but surely the necessary people inside the credit card companies were briefed in detail. Remember that responding to a security breakdown is an information problem as well as a technical problem. Who you tell and what you tell them is as important as who does the telling.
In addition, security failures can quickly raise legal liability issues, as many financial service companies and health care providers have come to recognize. So it's of paramount importance for your company to speak with a chorus of coordinated voices.
A good, well-tested plan will protect your company against charges of ignoring a threat and make it easier to withstand a crisis when it occurs.