The Case for Lean Incident Response

The Case for Lean Incident Response

“A Verizon Data Breach Report found almost 90% of point-of-sale (PoS) intrusions saw data exfiltration just minutes after compromise.  Any delay in incident response, therefore, literally means more lost records, revenue and customer goodwill.”1

Business Processes Halted, Customer Data Gone.  The Case for Lean Incident Response.

A number of technologies and tools propose technical improvements to incident response.  Yet without an organized, well-rehearsed procedure in place, the incident response process will miss expectations.  Every moment counts in containing a potential vulnerability, and squandered seconds can have disproportionate effects on overall information security risks and consequences.

While the Target data breach in 2013 was a watershed moment and significantly raised awareness about data security, the number of breaches and amount of data stolen continues to grow.  In the first three months of 2016 alone, there have already been 155 breaches compromising at least 4,314,045 records.3

Cyberattacks can compromise personal and business data, and it is critical to respond quickly and effectively when security breaches occur.  A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.  Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

An effective incident response helps minimize the loss of sensitive information and the disruption of business services.  Incident Response (IR) procedures provide detailed steps for responding to an incident.  The procedures cover all phases of the incident response process, and should be tightly linked to an incident response policy and plan.4

Cybersecurity professionals have mined another recent major incident – the hacking of Sony Pictures in 2014 – to find lessons learned and make adjustments.  When news of the Sony Pictures breach started to leak, the company’s response demonstrated a lack of planning.  Actions taken were sometimes contradictory or inflammatory.  In short, the company clearly lacked an appropriate incident response plan.5

"The weaknesses you see at Sony and other companies, large and small, can't be fixed by installing one more firewall or some new antivirus software. By the time the good guys zig, the bad guys are already zagging."6                                                                                                                                                                                                                                                                                                                                                             - Paul Barrett, Bloomberg Business 

Making Incident Response Lean

Knowing the key activities that must be performed in the event of an incident and performing them quickly can make all the difference between an incident and an actual breach with a loss of critical data or intellectual property.  So what can a business do to avoid such a situation?

Lean principles should be part of the solution to design an efficient and effective incident response program.  Although the concept of Lean seems simple, its implementation can be daunting.  It involves adopting a set of principles to enable the elimination of waste from any process within the organization, while also driving the right behaviors from team members. This is an ambitious goal, and a proven way to achieve results. Key elements that should be considered within any Incident Response (IR) assessment:

  • Identify Incident Response Value: Who are your customers and what do they really care about?
    • It starts with identifying the systems you are trying to protect and the business users and customers who would be impacted in the event of a compromise.  Wearing a customer lens when engaging the business will help you gain their support for incident response plans, policy, and the funding needed to sustain incident response capabilities.
    • Today’s business processes rely on uninterrupted IT services – during an incident response, every minute of network downtime is directly impacting business operations.  For consumers, recent data hacks and breaches, especially at government agencies and financial websites, continue to intensify public worries about data privacy and security.  A recent study from SAS, “Mobility, Vulnerability and the State of Data Privacy,” reports that 63% of respondents say events like these have heightened their concerns about mobile payments.7
  • Eliminate Waste in the IR Process: What activities are not adding value to your customers?
    • Understanding what value means to your customers should serve as your destination. Tracing all the activities that lead to creating value for your customers will help you identify which activities are non-value added.  These non-value added activities are considered to be “Muda” or waste.  A perfect process is considered one that has zero waste, which is what every organization should aspire to achieve.  Update your IR plan to eliminate waste activities.
    • Take the Sony breach for example – 25 million customer data sets were stolen undetected.  The Global Cyber Security Center (GCSEC) states that this was due to the fact that both internal incident response plans and security assurance practices proved to be ineffective.  Too much time passed between intrusion detection and the acknowledgement that millions of records were stolen.8  The dead time that prevented value creation is an example of waste.
  • Standardize IR Procedures: How do you consistently deliver value to your customers?
    • Often overlooked by many organizations, standardization is the mechanism through which your business will be able to consistently deliver value to its customers. Standardization means that after having eliminated waste from your process, every single team member who is responsible for playing a role in the process knows exactly how to perform it, when to perform it and why. An IR plan cannot be improved without first being standardized.
    • The Target breach tells a story similar to that of Sony.  In this case, the intrusion was detected and security teams were alerted – yet the organization stood by, watching 40 million credit card numbers leave their network before they interfered.  The initial alert was missed and there was not a standard response plan in place.8  In the hours and initial couple of days after a breach has been discovered, there is usually only one priority: Fix the breach, at all costs. Stop the bleeding.  This is a fine approach for the technical team. However, others in your organization need to at least be activated to begin planning a communications approach that keeps all stakeholders informed. Witness the somewhat haphazard way in which Target disclosed the breach. Were PINs compromised, or just payment card numbers? Were PINs leaked? Were encrypted PINs leaked? Was anything leaked? The story seemed to change as the situation developed. That's a symptom of an incomplete crisis communications plan.9
  • Seek Perfection: How do you adapt to an ever changing technology landscape?
    • The value of regular, well-planned exercises of IR capabilities cannot be understated.  Teams that can recognize the confusion and “fog” that develop in the opening moments of an incident are better prepared to cut through it and move into familiar, rehearsed procedures that guide action.
    • Conduct simulations based on a combination of commonly occurring incidents and the most recent intrusion techniques.  Record learnings from the results of the simulations and refine IR processes so the IR team is prepared for similar incidents.
    • Metrics can objectively measure process effectiveness. Take the time to make sure you are measuring the right value creation points in the process.  How do you know if you are getting better and if the process is working?
    • Kaizen events can continuously improve processes and systematically identify and reduce waste.

Kaizen for IR

Kaizen is an approach to implementing rapid improvements and can be done as an event or “blitz.” North Highland uses the following approach when conducting Kaizen events to identify opportunities for improvement and stay relevant in the ever changing cybersecurity landscape:

Key success factors include:

  • Understanding Current Value Stream
    • Senior Managers and Executives should not use this activity (value stream map creation) as an opportunity to create blame.  The map must be drawn by the people who perform the process and not by their managers or other individuals who think they know the process. This will ensure:
      • The greatest level of accuracy, which uncovers nuances with how the process is really performed (which may be different from what their managers and other people think).
      • A sense of ownership by the people who perform the process on the lean exercise being performed and the solutions created.
      • This approach is also more likely to allow you to go through the exercise more quickly versus the alternative (you creating the map while they dictate).
  • Capturing Baseline
    • Baseline information may not be readily available and so the team needs to think hard about what they currently have that will allow them to measure how they are currently performing their process. If you don’t have any measures for your current state process then how will you know if you have improved on it?
    • Consider analyzing data that may exist within incident management tickets that were created to solve incidents. This approach will allow you to gain valuable insights and separate facts from opinions or biases that team members may have. 
  • Identifying Symptoms & Root Causes
    • Senior Managers and Executives need to step back and let the people work through the activities. If the leaders are in the room they should be coached to say to their people, “It’s ok! Go ahead and say it like it is and reveal all the issues you are experiencing.” If you think this would be hard for the leader to do then ask the leader to not be a present during the value stream mapping exercise.
    • The objective here is to identify the root causes to the problems that are encountered. For example, many of the problems identified may be caused by the same issue.  As a result, it is important to spend a good amount of time sorting and analyzing the problems identified. Not doing so properly can cause some of the problems identified to continue to exist in the new process created. You have to identify the real problem first before you can fix it.
  • Creating a Hypothesis
    • Focus effort to formulate plans that address the biggest problems as 80% of problems are generated by 20% of the causes.
  • Creating Future Value Stream
    • Have the process performer create the updated value stream map and then have them walk through and validate the new map with the entire team.

Sustaining a lean IR program requires continuous problem solving by everyone on the team, not only when Kaizen events are scheduled. This change in mindset means each team member sees problems as treasures and brings attention to them upon identification. The goal for the team should be to design a sustainable rigorous problem solving process that provides the means to experimentally test any proposed changes.  This will allow the team to learn from the experiments and adjust the IR value stream on an ongoing basis.

Applying lean principles to IR can help security organizations discover ways to improve reaction time.  Improving reaction time decreases the consequences of a cybersecurity event, leading to a better prepared organization:


Without an organized, well-rehearsed procedure in place, the incident response process will not deliver expected value.  Key Lean principles should be part of the solution to design an efficient and effective incident response program.  Although the concept of Lean seems simple, its implementation can be intimidating.  From identifying value to developing the right metrics for IR to change management that supports transformation of security operations, your business has an opportunity to drive waste out of its Incident Response procedures.  The result is a faster response that can significantly diminish the risk of sensitive employee and customer data loss, as well as risks to brand and reputation. 

For more information, please contact:

Mark Resnik

Cybersecurity Expert Practitioner

+1 704-840-1820


Shanil Amalean

Lean Expert Practitioner

+1 704-910-8505


  1. SC Magazine, “Incident response - time is of the essence,”
  2. National Institute of Standards and Technology, Computer Security Incident Handling Guide,
  3. Identity Theft Resource Center, Data Breach Report,
  4. NIST Special Publication 800-61, Revision 2, Computer Security Incident Handling Guide.
  5. We Live Security, “The Sony Pictures Hack: 5 short sharp lessons we all can learn,”
  6. Bloomberg, “Forget the Gossip, These Are the Lessons of the Sony Hack,”
  7. Press Release Rocket, “SAS Research: Data Security Not a Digital Deterrent for Consumers,”
  8. ITProPortal, “A race against time: How late is too late in incident response?”
  9. CIO, “4 Lessons CIOs Can Learn From the Target Breach,”
  10. American Bar Association Annual Meeting, “Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked,”


Need an Expert to speak at your next event?