Incident or Accident
I’ve spent the last 47 years in cybersecurity defending one of the most attacked critical infrastructure companies in the world: Israel’s Electric Corporation – IEC.
In this blog, I would like to share with you an idea that will help you improve your company’s cyber sturdiness and eliminate the possibility of a cyber incident.
The difference between cyber incident and accident
Let’s agree on definitions before I make my point that you as a cyber professional must erase from your vocabulary cyber “incident.”
My distilled definitions of accident and incident are based on Wikipedia and are as follows:
Accident: An unplanned, unfortunate event resulting in loss or harm
Incident: Any event, whether positive or negative; planned or unplanned
Therefore, an accident is in a subgroup of the incidents group. Now allow me to explain my attitude about these two terms.
The problem with “incident” versus “accident”
The definition of an accident as always being “unfortunate” is wrong.
Every accident of which I am familiar was the result of human error – or intent. Let’s also consider the ability to influence an accident: its frequency, intensity, consequences, and outcomes. Again, with any accident of which I am familiar the involved entities had the ability to influence the accident before it happened: sometimes to the positive and sometimes to the negative.
The wrong perception of “incident”
The term “incident” creates the perception of an undefined situation that could be positive or negative, leaning toward the prior. There is no focus on the culprits or victims. What is in focus is an event. “Something” happened. No cause. No accountability. Much is left to our imagination.
Accident, on the other hand, creates the perception of irresponsibility, negativity, accusation, and lack of control.
Is it a cyber “incident” or “accident?”
Incident is the term commonly used in cyber events – “cyber incident.” I propose that most cyber “incidents” should really be labeled “accidents” and here’s why:
In the case of a cyber compromise, there is some portion of irresponsibility, lack of accountability, and deficiency in preparedness on the defender’s side.
Incident does not motivate anybody to act differently, to feel responsible, or to improve and bridge the various (and obvious) gaps. Calling them “incidents” is a convenient way to calm the conscience.
If we were not prepared, it would be an accident. Yes, accident. Calling it this is much more shocking and will impel us to action to improve what needs improvement to be better prepared for future cyber attacks.
If or When?
The cyber experts frequently say, “The question of being compromised isn’t a matter of IF but WHEN.” I agree, but the much more relevant question you should ask yourself as a manager is HOW?
How can my organization be better prepared, sharper and more successful in the next accident?
It’s not simple, but it is achievable.
We just need to broaden our questions and ask ourselves how can we improve our:
- cyber maturity
- cyber organization
- cyber risk management
- cyber integration
- cyber validation & test abilities
- decision accuracy
- cyber professionality
- cyber awareness
Or in one question to encapsulate all 8 of the above:
How can we improve our Cyber Sturdiness?
Israel Electric Sophic suite and 25 years of battle-proven experience combined with Cybergym’s training can help your company achieve cyber sturdiness to identify and mitigate attacks to prevent “accidents”.
Let’s audit your cyber readiness…