Fail to prepare, prepare to fail. The old adage still rings true when it comes to cyber incident planning and response. In today’s highly regulated world, where data breaches and service outages could cost large organizations hundreds of millions, the stakes couldn’t be higher. But while traditional tabletop exercises and simulations are important, nothing can quite replace the feeling of being at the center of an incident room when the lights are all flashing red.

One could argue that the closest thing to it, without going through an actual incident, is a false positive scenario. Maybe false positives are not such a bad thing in cybersecurity after all.

The value of response

Data breaches are a fact of life today. There’s little you can do in the long-run to stop a determined attacker, but you can minimize the impact on the organization by reacting quickly once you’ve discovered a security breach. This is where effective incident response is vital. Unfortunately, little progress has been made on implementing plans, according to our latest Risk:Value report. It reveals that less than half (49%) of global respondents have put such a plan in place — just 1% more than the 2017 report.

This is particularly bad news in light of the General Data Protection Regulation (GDPR), which mandates a best practice approach to data protection and incident response, including 72-hour breach notifications. Potentially large fines await those who fail to take their responsibilities seriously. With the average time to identify a breach standing at a staggering 163 days, it’s clear that improvements must be made across the board.

Feeling positive about false positives

But how can organizations improve? Yes, incident response plans and follow-on testing and simulations are essential. But to get a taste of how your team will react in a real crisis situation, there’s a lot to be said for false positive alarms. We’ve tried to eradicate these from security systems over the years as they can tie up resources, incur unnecessary extra costs and overheads and theoretically distract teams from real incidents.

But let’s take a more balanced view. Obviously, we don’t want false positives bombarding the IT team to the point of alert fatigue. But they do offer an invaluable way for IT to practice its response skills.

The truth is that the best incident planning in the world can’t prepare you for the stress and pressure of a real-life attack situation. Handbooks go out of the window and unpredictable events confound your best laid plans. If an attack has been spotted, do you order a shutdown or continue to monitor the bad actor? These are high stakes: potentially even multi-million dollar decisions that must be made in seconds. You simply can’t replicate this kind of human stress in structured testing. But when a false positive hits, everyone believes it’s real. You get to see how different members react, and which decisions are made, without the consequences.

The bottom line is the more you practice, the better your incident response. So of course continue to plan, test those plans and run those attack simulations and red/blue team exercises. But to really increase incident response maturity, let’s not discount the occasional false positive.