By Torsten George

Believe it or not, a data breach when handled correctly can actually boost a company's share price. The most recent example was Adobe Systems. After disclosing that its network had been breached, information relating to 2.9 million customers was illegally accessed and source code for several of its products was potentially stolen, its stock price rose. How is this possible?

The answer is, in two words, incident management. When done right, incident response management is a valuable weapon for limiting material or reputational damages caused by data breaches.


Adobe’s response was swift and offered sufficient information about the scope of the breach, as well as measures the company had taken to minimize the impact on its user community. As a result, the company’s valuation did not suffer. In fact, Adobe’s stock price actually increased the day after the breach was announced.

So what are the steps that can boost a company's share price following a data breach?

Incident response management is an organized approach for addressing and managing the aftermath of a security breach or attack – aka an incident. The objective is to manage the situation in a way that minimizes damage and reduces recovery time and costs.

As part of incident response management, an organization should establish a policy that defines in detail what constitutes an incident and provides a step-by-step process to be followed when such an event occurs. In this context, the US-CERT and SANS Institute have assembled best practices related to the creation of an incident response team and plan.

The following four elements provide a sound foundation for creating a proactive incident response plan:

  • In addition to security and general IT staff, include representatives from legal, human resources and public relations departments on the incident response team.
  • To assure a swift incident response, develop policies, logging review guidelines, disclosure practices, tabletop exercises, compliance integration and ongoing training of users and IT staff.
  • Pre-define all actions required to respond to a security breach, covering the identification (e.g., classification criteria, forensics tools), containment, eradication and recovery steps.
  • Establish guidelines for a post-incident analysis, which is important for identifying lessons learned, document gaps and necessary enhancements using a closed-loop process.

This all sounds straightforward and should be simple to implement -- at least on paper. However, this process typically breaks down when an incident occurs and a response is required. For example, will members of the incident response team remember their duties and fellow stakeholders when they receive a call on a Saturday at 4 a.m.? The answer most likely is no.

Some of the factors that make incident response management in the field so difficult include:

  • Policies and stakeholder data exist in dispersed documents
  • Lack of notification alerts and automated escalation processes
  • Poor prioritization due to a lack of understanding of risk and business impact
  • Disconnected remediation systems
  • Missing or insufficient centralized audit trail for post-incident analysis

Obviously, relying solely on human interaction and dispersed systems can lead to major deficiencies that can slow down an organization’s responsiveness. To overcome these shortcomings and streamline the overall process, progressive organizations are automating incident response management with tools that centralize processes and create an audit trail for compliance reporting.

These tools help organizations collect data from a variety of security and IT hardware and software products as well as other applications such as spreadsheets. They can aggregate data and automatically calculate the preliminary risk and business impact, enabling an organization to prioritize the response plan actions and timing.

TorstenGeorgeIn addition, incident response automation can route and assign incidents based on type, severity or affected assets; alert the assigned stakeholders, and provide for escalation if needed. Ultimately, all remediation efforts are tracked and all of the collected data is leveraged to measure controls and policy effectiveness as part of the incident post-analysis.

Replacing manual incident response management with automated processes ultimately allows organizations to take a proactive approach if a data breach occurs. A timely, well executed response can limit or even prevent reputational and share price erosion, as we saw with Adobe.

About the Author: Torsten George is vice president of Worldwide Marketing and Products at integrated risk management software vendor Agiliance. A frequent speaker on compliance and security risk management strategies, he has more than 20 years of global information security experience. He has held executive-level positions with ActivIdentity (now part of HID Global, an ASSA ABLOY Group brand), Digital Link and Everdream Corporation (now part of Dell).