Selecting a Breach Resolution VendorAsking the Right Questions, Getting the Best Price
"The time to select a vendor is before you need one," says Peterson, chief technical officer at ACR 2 Solutions. "Any company can be breached, and for some firms, an information security breach is probably at least as likely as a major fire. You don't wait until the office is filled with smoke to place your fire extinguishers."
Partnering with a breach response services vendor is important, Peterson says, because "they bring a level of credibility that is difficult to equal by the company that potentially lost the customer data."
In an interview, Peterson:
- Recommends asking potential vendor partners tough questions, including: How do you plan to estimate the real risks to my clients from a potential breach? How do you plan to estimate my organizations' potential liability?
- Advises that to negotiate the best price for breach resolution services, the best first step is "to put your company in a solid information security status" by conducting a risk assessment and implementing appropriate controls. That way, your organization can narrow down the post-breach services it would need.
- Stresses that organizations that have experienced a breach caused by willful neglect should "aggressively deal with the breach and fixing the vulnerability that was exploited. This is no time to drag your heels and try to minimize your costs."
Peterson is the chief technical officer at ACR 2 Solutions, which provides information security risk assessment and risk management software to the financial and medical industries. In 2006, he created an expert system computer model of the NIST 800-30 risk assessment protocol for use in the banking industry. In 2009, he created a HIPAA version of the risk management software based on NIST 800-66. He holds three U.S. patents and was awarded the American Consulting Engineers Council Grand Award for Engineering Excellence.