The Incompleteness Theorem: Why Every Organization Needs an Incident Response Capability

Some cybersecurity experts may already be familiar with the Incompleteness Theorem, which Stanford University counts among the most important results of modern logic. What you may not have considered is the interesting implications it has on the ubiquitous need for incident response.

Published in 1931 by mathematician Kurt Gödel, the Incompleteness Theorem established that in any mathematical system that is consistent, or free of contradictions, there are statements that are true but cannot be derived from the rules of the system. More specifically, the system is incomplete. Simply adding new rules—or even rules about rules, or meta-rules—to accommodate newly discovered truths within the system does not solve this problem because if the expanded system is consistent, the Incompleteness Theorem proves it, too, cannot be complete.

The Incompleteness Theorem in Terms of Cybersecurity

For any information security system—or a collection of policies and controls—that is designed to protect against all known attacks, exploits, intrusions, and breaches, there are incidents that cannot be protected against by that system. Simply adding new policies and controls to deal with newly discovered threats, vulnerabilities, or incidents does not solve the problem. In fact, they can never solve the problem because the Incompleteness Theorem proves even enhanced security systems cannot provide complete protection.

In other words, there is actually a mathematical truth to some of the statements heard so often these days from the marketers of information security solutions. These commonly include the following:

• There is no such thing as 100 percent secure. Never mind that 100 percent secure is not the goal; rather, the goal is to implement the level of security that reflects the organization’s appetite for risk.
• A security strategy based solely on deterrence and prevention cannot succeed 100 percent of the time. Organizations also need capabilities to detect, respond to, and recover from incidents when they do occur.
• There is a 100 percent possibility of a security incident. This is not the same as the probability or likelihood of an incident, which is greater than 0 percent and less than or equal to 100 percent. Some incidents are more likely than others.
• It’s not a matter of whether an incident will be experienced, but a matter of when.
• Companies should operate as though they have already been compromised. This is another way to say security strategies should include capabilities not only to deter and prevent, but also to detect, respond, and recover.
• There are two types of enterprises: those that have been hacked and those that have been hacked but don’t know it yet. This one is perhaps the most efficient of the bunch in that it combines both the observation and the implication into a single statement.

Implementing Incident Response in an Organization

The important takeaway is that every organization needs incident response, which should be thought of not as a specific action to be executed once but as an essential capability to be exercised again and again. Research from Aberdeen Group shows that leading organizations are distinguished from lagging organizations in this area in the following dimensions:

• The existence of an incident response function with clearly defined measures of success
• A clearly defined funding model and reporting structure for the incident response function
• Attention to making changes in people and processes as part of the response and changes in technologies
• Postmortem reviews not only of a specific incident, which are good, but also of the performance of the response team itself, which is even better

As if this weren’t enough, advanced detection and faster response quantifiably reduce the business impact of an incident. Mathematically, literally, and financially, the organization’s security strategy is incomplete without an incident response capability.

The post The Incompleteness Theorem: Why Every Organization Needs an Incident Response Capability appeared first on Speaking of Security - The RSA Blog and Podcast.