Infosec teams must be allowed to fail, argues Gartner

March 18, 2024 TH Author

Zero tolerance of failure by information security professionals is unrealistic, and makes it harder for cyber security folk to do the essential part of their job: recovering fast from inevitable attacks, according to Gartner analysts Chris Mixter and Dennis Xiu.

In their keynote at the firm’s Security & Risk Management Summit in Sydney, Australia, today, VP analyst Mixter and director analyst Xiu argued that no amount of effort can prevent infosec incidents, and the quality of organizations’ response is a more appropriate measure of an infosec team’s effectiveness than expecting they will never fail to fend off the never-ending torrent of attacks.

“Adrenalin does not scale,” Xiu told the event – a reference to the practice of infosec teams responding to incidents by attacking them without a rehearsed plan.

Relying on adrenaline also means the business assumes infosec teams are capable of heroic effort, motivated by the fear that cyber attacks create personal consequences of being fired or even prosecuted.

“We cannot allow this persecution mindset to persist,” Xiu argued. “If we do our mindset will not change.”

Mindset change is needed, the pair contend, because most organizations are immature in terms of their incident response capabilities.

The two analysts therefore counselled infosec pros to work with the business, to develop recovery plans based on tolerable impacts, as doing so helps infosec teams to prioritize investments.

When incidents occur, those discussions also make it easier to explain the infosec team’s response – which could include a recommendation to take down systems that have not been impacted. Such recommendations will likely generate pushback, but preparing the ground makes it easier to handle such objections.

The pair recommended extensive rehearsal for recoveries – especially for incidents caused by third parties, as they are the root cause of most cyber attacks.

Developing recovery playbooks and practising their execution will help to keep infosec teams effective – by making heroic action less necessary and by allowing cyber security practitioners to follow processes they have rehearsed.

Better mental health can result, they argued. And in a later session, Gartner’s senior director of research – and content leader of its cyber security research team – Christine Lee did likewise.

Lee characterized burnout as a debilitating state that leaves workers unable to do their jobs – not mere tiredness. She said infosec workers can experience post-traumatic stress disorder after responding to incidents and become prone to health issues.

She therefore suggested that incident response plans must create at least two teams who work on strictly defined shifts, so that incident responders get proper rest. She also advocated for chief information security officers to be trained to detect signs of stress so they can manage incident response teams more effectively. Lee also advocated for mental health debriefs to become part of post-incident assessments.

In another conference session, senior principal analyst Alex Michaels suggested infosec teams could even consider hiring behavioral psychologists to help them understand the mental state of their staff and attackers. Doing so, he proposed, could even help orgs to overcome shortages of staff with infosec skills.

Perhaps counterintuitively, Mixter and Xiu called for infosec teams to acknowledge more incidents – a conscious inversion of the “days since last incident” metric used to indicate observance of safety procedures in many industries. The analysts said that reporting even small events can see teams take pride in being able to continuously, and calmly, cope with infosec issues.

It also creates more opportunities to hone their recovery routines, which in turn means more opportunities to innovate – demonstrating that the org is constantly working to improve cyber security and is not deserving of censure when incidents emerge. ®