Is Your Incident Response Process- or Outcome-Oriented?
- Why organizations focus on process
- Finding success with adaptive incident response process
- Analysis and consistency are critical in preventing future failures
Read more below.
Processes in business are important. Organizations need established systems, structures, best practices, and protocols for efficiency and consistency — and to help keep things running smoothly in general.
In every industry, privacy and security incidents — and adherence to the multitude of data breach notification regulations — can indeed be chaotic. In incident response management, processes can help tame the chaos of global breach notification laws.
Risk & Compliance Director for a health insurance company, Duncan Milne, posits that one way to cut through the chaos is by shifting compliance program mindsets from a singularly process-oriented approach to an outcome-based perspective. In his article published in the Compliance & Ethics, Milne writes that organizational behaviors such as an overemphasis on internal reporting, overly prescriptive compliance frameworks, and process- rather than risk-based approaches to data breach compliance may negatively impact compliance teams’ ability to provide value to their organization.
Why Organizations Focus on Process
According to Milne, many modern regulators are moving toward principles-based regulation, where they are asking organizations to be more focused and concerned about the impacts or outcomes on end consumers.
Compliance officers can fall into the trap of measuring the input — how many reports or spreadsheets did I issue, how many training sessions did I run — rather than the output and whether it is actually having any positive impact on the business.
The Department of Justice emphasizes the need for the compliance program to “work in practice” and many regulators both domestically and internationally are moving towards more principles-based regulation, where they are concerned less with prescriptive rules. In 2020, the DOJ amended their position that the government’s expectation that compliance programs should constantly evolve.
Like all business processes, an over-emphasis on internal reporting can get in the way of teams providing expertise in their field. Compliance leaders should be aware of how much time their teams spend repackaging information into reports and look to provide balance for teams who are spread thin amid new and changing regulations.
For global organizations especially, an outcome-oriented approach may allow team members to arrive at the same conclusions with a degree of flexibility in their methods, while still reaching the desired outcome, perhaps in a more efficient manner.
And that’s what most organizations who are seeking to operationalize their incident response practices and risk assessment process are looking for. Implementing best practices to gain efficiency.
How an organization manages its response to privacy and security incidents determines the level of risk to its business, brand, and customers. To be successful, companies must develop an incident response process that accounts for the evolving nature of threats, copes with limited resources, and complies with complex breach notification laws.
Take it from Andrew Migliore, vice president of engineering and security officer at RadarFirst, “In the world of privacy and security, you can’t manage what you don’t measure. The overall goal should be reducing the overall time it takes for security and privacy to perform the handoff and a privacy risk assessment to be performed.” He outlines incident response metrics:
- Mean time to detection (MTTD): Average time it takes from incident occurrence to detection
- Mean time to assessment decision (MTTAD): Average time it takes from assessment to make a breach or no breach notification decision
- Mean time to notification (MTTN): Average time it takes to notify after the first decision is made
Privacy compliance is about more than breaches and incident response management is about more than processes. At the end of the day it comes down to your consistency and the process involved in getting the job done.
Analysis + Consistency = Predictability
One thing we all want to avoid: preventable failures in predictable operations. In the Harvard Business Review, Amy C. Edmonson recommends that leaders can build a learning culture that entails “consistently reporting failures, small and large; systematically analyzing them; and proactively searching for opportunities to experiment.”
When it comes to incident response management, we know that best processes lead to best outcomes. Precision, consistency, efficiency, and rules are all elements of Radar, privacy incident response management software, which performs comprehensive risk assessments. Radar determines when a privacy or security incident is notifiable under current data breach regulations and provides all the necessary documentation to support an organization’s burden of proof obligation under federal, state, and international breach laws.
If you leave the incident management heavy-lifting processes to Radar, you may find that you actually have more time to provide value and drive meaningful change across organizations.
You may also be interested in:
Topics: Incident Response Management