By Gene Fredriksen
Every organization should have a computer incident response plan intended to serve two major purposes: to recover business functions as quickly as possible and to analyze what happened in order to take affirmative steps to decrease the chances of it happening again.
While even the best incident response process cannot guaranteethe ultimate objective of preventing a recurrence of the incident, there is a reasonable expectation that a recurrence of the incident will not take place if the root causes are identified and addressed. Root Cause Analysis (RCA) is not overly complex, but it is a critical after-action component of any incident response. Focusing on a simple root cause analysis process that requires no elaborate and expensive training is well worth the investment of time and effort for credit unions.
In some cases, credit unions may question why the root cause should be a concern if the original problem is solved and business functions have resumed. Without identifying and addressing the root cause, an organization leaves itself exposed and vulnerable to a repeat episode. Addressing the root cause is much akin to treating an illness. Like the saying goes, treat the cause, not the symptom: Treating the symptom may result in short-term relief, but things can go downhill quickly if the underlying cause is not treated.
More Than Reboot Needed
Many organizations, and even the best trained response teams, simply treat the symptoms instead of attacking the underlying causes of an incident. For example, how many times has an organization addressed a production issue by rebooting the server? True, a reboot may fix the problem temporarily. But unless what caused the server to fail in the first place is identified, the organization may end up with server reboots becoming a “normal” process required to keep production going. This is not a sustainable way to run a production environment.
To help identify the root cause of an event, credit unions can employ the “Five Whys” method – a simple but powerful tool to use in any problem-solving activity. This intuitive process helps separate symptoms from the causes of a problem by cutting through the layers that usually envelop a problem.
As an example, think about a car. The oil is low, so the mechanic adds some more. In doing so, he has addressed the symptom. But what happens when the oil is low again? And what happens if the amount of oil needed continues to increase over time? At what point does the mechanic realize he has a bigger problem on his hands? If the mechanic continues to only address the symptoms, he may eventually run out of oil.
Instead, he should ask, “Why?” Why is the oil low? Why does the oil level continue to drop even after being topped off? Why is this occurring at such a frequent rate? Continuing to ask “why” will eventually lead him to discover that the oil filter was not tightened properly after the last oil change. Just addressing the symptom (the low oil level) and not addressing the cause (the loose oil filter) could eventually lead to the filter completely falling off, resulting in a catastrophic loss of oil.
The well-known phrase, “A stitch in time saves nine,” is certainly representative of the benefits of conducting a root cause analysis. It also illustrates that not all fixes identified by a root cause analysis need to be costly or difficult. The results of a root cause analysis will most often reveal a failed control, process or even a gap in staff skillsets that put into motion a series of conditions or events that led up to the identified symptom. Thus, by conducting a root cause analysis and addressing the root cause as quickly as possible, credit unions can substantially or completely prevent the same or a similar incident from recurring.
Worth the Time Investment
Finding the root cause may take some time, but it is not inherently difficult – even when it seems that addressing the symptoms might be the easiest solution. Fixing the root cause could be inexpensive or involve a significant investment, but if you do not conduct an analysis, you will never know for sure. System uptime and member support are critical to credit union success and key to remaining relevant in today's market. Ensuring that processes are robust and resistant to errors is a core aspect of that success. Excellence starts with credit unions’ people and the processes they use to support their members. By using approaches like root cause analysis, credit unions can help to push their levels of member service and satisfaction to new heights.
Gene Fredriksen is responsible for several strategic functions focused on relating PSCU’s perspective and stance on cyber security to the credit union industry. Gene has over 25 years of information technology experience, with the past 20 focused specifically in the area of information security. He joined PSCU in 2013. Since then, he has grown the Information Security and Compliance teams and service offerings, implemented advanced tools and processes, and advanced PSCU’s relationship with numerous partners. Gene has served on the R&D committee for the Financial Services Sector Steering Committee of the Department of Homeland Security and is a Distinguished Fellow for the Global Institute for Cybersecurity + Research, headquartered at the Kennedy Space Center. He is also the Executive Director for the National Credit Union Information Sharing and Analysis Organization.