How to Handle Common Security Events

8 minutes


Updated October 9, 2023
Now Available
Security for Everyone

🚀 As explained by Laura

Our organizations are built around sequences of events that get the job done every day, from events that happen every day like clockwork such as standup meetings, to things that happen less frequently such as hiring and onboarding a new team member.

For every activity or event that happens in our organization, there is an accompanying set of security activities we can carry out to help keep our people, systems, and data secure.

Understanding this relationship helps security become a part of your company’s rhythm, rather than a special event that happens outside of its normal operations. After all, why waste energy debating where security fits into the world if you can save a lot of sweat by assuming there is a little bit of security for every situation? Your job as a leader is to find painless ways to weave security through them.

Planned and Unplanned Events

So how do we go about understanding these events and how we can add a dash of security to them? It begins with looking at why and when these events occur and how likely we are to be able to plan for them in advance. To start, let’s look at the two types of common events—planned and unplanned.

Definition Planned events are predictable in some way. For example, if you are posting a job advertisement, you can safely assume that sometime soon you will hire someone and then hopefully onboard them to your team. You can also assume you will need to give them a device to use and provide them with tools to get the job done. Each of these processes and events has a parallel set of security activities.

Planned events will operate in repeating patterns. This means we should be able to build systems and tools to make them easier to secure and track.

Definition Unplanned Events are difficult to predict. This does not mean that they are not likely to happen, it just means that it’s difficult to know when they are likely to occur in your company.

Unlock expert knowledge.
Learn in depth. Get instant, lifetime access to the entire book. Plus online resources and future updates.
Now Available

Going back to our people security examples we used in our planned events, we consider the loss of a team member as unplanned. We know that people will leave the company but we don’t often know when that is likely to happen—especially when the loss is more than just a resignation or planned retirement. If a team member is removed for poor performance or negligent behavior, this may happen with little notice and your team will need to be prepared to move fast to secure this event.

Unplanned events are hard for us to schedule and plan for, but we can be prepared for them. We know that these scenarios are possible and can be ready, just in case.

Challenges with Triggered Security Events

This all seems quite straightforward, right? There are events we can plan for or prepare for, and so long as we are well organized, we can weave security through everything that happens in our business. It’s simple … except when it’s not. Let’s take a look at the common challenges we face with triggered security events when we’re growing.

Growth Means More Security Events

Even predictable events (hiring, promotions, etc.) can be difficult in a growing company due to the pace our worlds run at. We have the same events as any other organization, but because of the way we are funded and the ambitions we drive towards, we may experience many more of these events in a shorter time period than a more established company. Combined with relatively constrained resources and budgets, handling all of these events can be challenging enough without adding a layer of security on top.

Acknowledging this challenge doesn’t excuse us from trying, however, it just means we need to be clever with our approaches. Using automation and playbooks can make these tasks easier to complete (and sometimes automatic) and enable you to share the responsibility across the team. We’ll dive deeper into how to do that later in this chapter.

Growth Means Evolving Security Processes

Growing fast can be hard. It’s an exciting time filled with big challenges, many of which you will have never faced before. This is the entrepreneurial life.

The trouble with evolving challenges is that we have to adapt to them dynamically. Sometimes the situations and events that happen in our company are unplanned, not because they are rare, but because we haven’t reached a stage of maturity where this event happens predictively enough to be planned.

For example, the first time your organization receives a security due diligence assessment, you may have no idea where to begin. It’s likely that you won’t have well-documented processes to get the job done. The same goes for hiring. When you first started out, your onboarding process would likely have been quite informal and evolved with each person you hired.

In the growth stage, however, these processes have to mature fast. You may have to respond to lots of due diligence questions or onboard seven new team members a month. There is no time for informal processes now.

If you are at this stage, it can feel like a lot of work to define these processes, document them, and work on them as repeatable tools. It can feel unrealistic to add more layers of security into these fledgling processes, but believe it or not, this is the easiest time to add security.

Adding security from day one of a process lets the security mindset rest in the foundation of the process and grow with it as the company matures. It is much easier to tweak a small security process in a new operational process than it is to take a complex process and weave security through it at a later stage, retrofitting it where needed to those who have previously been through the process or event.

Let’s dig into some examples and make this theory into something we can put into practice.

Examples of Triggered Security Events and Playbooks

The following table is by no means exhaustive, but provides a guide to the types of events that might happen in your company that you would want to plan for. Don’t get overwhelmed, there are a lot of them (and I’m sure you will think of more)—remember that a lot goes on in your growing business, so it’s not surprising that there is a lot of security to consider on the way.

For each of these, you would list the associated actions, procedures, or playbooks that should form part of your response. For example:

EventSuggested Actions
A new device is acquired1. Record the device in the asset register.
2. Assign the device an owner.
3. Provide secure storage guidance to the new owner.
4. Configure the device with appropriate security controls or hardening.

See the table of ISO domains for a refresher on what each area covers.


Table: Some Common Triggered Security Events

Security policyPlannedA new policy is developed
UnplannedA policy changes
Organization of information securityUnplannedA new risk is identified
UnplannedAn existing risk changes
PlannedA new leader joins the organization
UnplannedA change in the economic environment
Asset managementPlannedA new device is acquired
PlannedA device is decommissioned
UnplannedA device is lost or stolen
Human resources securityPlannedAn employment offer is made
PlannedA new person starts
Planned/UnplannedSomeone changes roles
Planned/UnplannedSomeone leaves the organization
Physical and environmental securityPlanned/UnplannedSomeone visits your office
UnplannedAn alarm triggers
Communications and operations managementPlannedA new tool is selected
Planned/UnplannedData is shared internally
Planned/UnplannedData is shared externally
Access controlPlannedSomeone requests admin permissions
PlannedSomeone requests access to an additional tool or datastore
UnplannedUnexpected access reported
Information systems acquisition, development, and maintenancePlannedA new product idea is suggested
PlannedA change is made to some existing code
PlannedSystems are used in a new way
UnplannedA new security update is available
PlannedCode is deployed to production
PlannedA system component is deprecated
Information security incident managementUnplannedSecurity notification from vendor
UnplannedSecurity notification from open source
UnplannedSecurity notification from customer
Business continuity managementPlannedA new system is deployed
PlannedChanges in the business or operating environment
CompliancePlannedCustomers acquired in a new region
PlannedBusiness expands into new area

At the risk of sounding like the detective from a black-and-white movie, the key is that as a leader, you need to “expect the unexpected.” While this doesn’t always feel like something you can plan for, there are many common planned and unplanned security events that happen in most companies.

Just having a plan or process for these common events can put you a long way ahead when it comes to repeatable security processes and can allow you more time to think. This way you can focus on anything truly unexpected that happens.

Your Calendar of Security Activities9 minutes

🚀 As explained by Laura

Unlike triggered security events that are linked to operational events in our business, security also requires a set of events that happen outside of the core operations and are purely in the security domain. We call these ongoing security activities (or scheduled security activities).

Our ongoing security activities can be laid out as a calendar across the year, with some activities needed more frequently than others. Unsurprisingly, our calendar will contain daily, monthly, quarterly, and annual activities, and may be expanded with more custom intervals that suit your organization’s needs.

You’re reading a preview of an online book. Buy it now for lifetime access to expert knowledge, including future updates.
If you found this post worthwhile, please share!