Book Review: Data Breaches: Crisis and Opportunity
Data Breaches: Crisis and Opportunity; By Sherri Davidoff. Addison Wesley Professional; informit.com; 464 pages; $44.99.
The author begins with a startling premise. Data breaches are not in the same category as other computer security incidents—they fall into an area of concern uniquely their own. Data breaches create exceptional challenges for businesses and organizations and usually generate a crisis. Improperly handling that crisis often generates long-term problems and serious disadvantages for an organization.
Understanding the phases of the crisis becomes essential in crafting an effective response. Those phases are: the Prodromal, when warnings or precursors appear; the Acute phase, when the worst events happen and the outside world reacts adversely; the Chronic, when litigation and media scrutiny escalates; and Resolution, when events and matters return to normal. The counsel of the text is to mitigate the crisis early—pay attention to early warnings and take appropriate actions quickly.
The author’s novel approach involves labeling data as “hazardous material.” Consider the impacts and the damage that arise when sensitive data falls into unauthorized hands. How caustic will that outcome be for your organization, and most important, for your customers and clients? To cope with a potential debacle, the text recommends the DRAMA model for data breach response—Develop, Realize, Act, Maintain, and Adapt.
Data Breaches: Crisis and Opportunity touches on several areas that support effective response to the crisis. Insightful advice about communications offers useful ideas. For example, specifics about crafting an effective apology receive considerable attention. Yes, an apology needs certain elements to be accepted as genuine. Keeping the public and customers informed goes beyond a technological discourse and considers the social, political, and economic factors. The author emphasizes that looking at the crisis from the public’s and the customers’ points of view builds empathy. Empathy conveys caring, which can create support.
The text also touches on technical networking countermeasures to reduce the chances of a breach. Among the topics covered are network segmentation, two-factor (2FA) authentication, password management, and patching methodologies. A robust program combines both proactive technical protection and a well-developed response plan.
Obtaining a digital version of the book offers several advantages; for example, extensive hyperlinks to supporting papers, court cases, news accounts, articles, and governmental reports are available throughout the text. There is a hyperlinked index along with an excellent summary of the book’s main points in the Afterword section. The summary has links to the chapters covering each of the main concepts. Overall, the book offers much to the information security generalist requiring an introduction to data breaches and their consequences.
Reviewer: Ronald L. Mendell, CISSP, is a member of ASIS and a faculty member of the College of Information Technology at Western Governors University, where he teaches information security. He is also a consultant who writes about physical and information security.