Hi. Welcome back to sessions on security incident management. This final one is going to be on lessons learned. I'm Ralph O'Brian and lessons learned. Yes, plan, do, check out. Our entire course is upon plan, do, check out. It's on lessons learned. It's about taking the privacy program that you've got and learning from it, improving from it over time. You're taking in terms of GDPR, there's accountability requirements and learning what you can from the environment you have. In this last section here we have assed, we detected, we've responded. Now it's a case of getting as much information as we can out to improve. This is where accountability comes in within the GDPR. The GDPR, you are using the results of everything you do in order to improve. Not just on the privacy side, on the security side itself. Obviously, are things we know and things we don't. I love this all Donald Rumsfeld that, "There are known knowns. There are things that we know, that we know there are known unknowns. That is to say, there are things we know we don't know, but there are also unknown unknowns. Things that we don't know that we don't know." I love that quote. But it just shows that there are things that you know, things that you don't know and if you can't improve what you don't know about. Whenever I talk to security professionals or senior management, they always looked at me with alarm when I suggest that perhaps on a year 1 of your security program, an objective could be to have more security instance. No breaches instance. We've talked about the difference. Breaches some confirmed disclosure or a difficult situation but you certainly want instances recorded. This is the conversation that we have. We have a conversation where I say, "Hey, you want to see a great rise, the number of security instance." The management go, "Crazy, no, of course, we don't want that." We don't want to know about more security instance and they say, "Yes, you do." The problem is you are hurting them. You just don't know whether you're hurting them. You're not learning the lessons you can learn from intercepting things early. You're making yourselves more likely you're going to have that big breach by not understanding where you are today. Year 1 of your security program. You actually want a great rise and security instance. That's their bad thing. Breaches we want to go down eventually sure. You actually want to know your environment. You want to understand your environment. The problem is where most management is, they don't know what they don't know. They don't want to know sometimes. They're quite happy not to know. When they know, they have to do something. That's the problem. That's what's the difficulty to the management. Sometimes they don't want to know because then if they know about it and it can be proved that they knew about it, they would have had to take some action, some response. This is all about transparency, it's all about knowledge. It's all about using that check phase to get as much understanding of our security as we can in order to take action. In order to improve it. Whilst a security instance having there are plenty of recovery progress updates. To start off with it might be hourly. They might need hourly checkups, especially during the first few days or first few hours. You're definitely going to need an hour-by-hour update of what's going on. That might eventually stretch and become days, weeks perhaps monthly as the crisis abates and you head back to normal and you end up in more business as usual type activities. Is worth doing a bit of analysis on what you could have done better. Most importantly, what it cost. People often thinks about security instance in terms of costs now, the focus is often on regulatory fines. Regulatory fines to me is only a part of the cost. These things cost to manage. Media, PR, communications, business disruption, the recovery, the fixed itself, technology changes, legal advisory. You might need to offer people money, or remediation, or give them credit monitoring or some offer to the individuals. There's the loss of productivity, there's reputational lost. You could get hired in consultants. You could be having plenty and plenty of costs here. It's hidden costs as well as the direct cost of the breach. It's important to try and quantify somehow. How much of this is costing? Why? Again, so we can look at the ways we can reduce it in the future. We can make it more efficient in the future and try and get those continual improvement opportunities. How often do the instance occurs? What type of instance are they? When do they happen? Who's being responsible for them? I'm not about blaming style fair. I'm talking about is it lack of training? Is a certain division or a certain department? Is it because they haven't had to training? Or they haven't got the resources? Or they don't have tech? Is it because you haven't encrypted stuff? Why is it happening? Who's responsible? What harms are we producing? How are we setting up people? How can we protect them from harm? Remember data protection is ultimately about protecting the individual from harm. Did we fix the problem? That it's root cause? Or did we only fit a symptom? Sometimes we're very prone to show that it's been sticking plasters over a symptom and not really addressing the root cause. Have we address the root cause? What about the incident management itself? Did that work? How could we manage it differently the next time? What actions could we take not only to prevent this incident from occurring again, but to preventing reoccurring? Not only to patch the hole, but to stop that vulnerability completely in the future. Number of different things we can learn from this. That security instance on security management is done. Note in there. Don't forget the four stages of incident management is all about comes to finding the difference between instance and breaches, educating people, having the right plans in place, learning and improving, and making sure your forensically readiness. Hopefully keep hold of the evidence if it goes to a court of law. Next section we're doing, the final section of the course is about the Act phase if you'd like. Performance management. We've done the plan and the do, we're now into the check in the act is. Now we've got our privacy program. How do we monitor, measure, and improve it?
