How many security incidents have you had in the last month? How about the last year? Surveys suggest that your answer is probably zero. Somehow, you do have a documented Incident Response Plan. Probably a quickly thrown together document to satisfy an audit or security review. Yeah... been there.
It is safe to assume that if you are Internet connected, you are under attack. A security "incident" doesn't only mean the breach of your network and the exfiltration of sensitive data. There are many subtle actions that precede a successful hacking and each of these must be treated as an incident. An external entity is consistently probing or port scanning your network. An unexpected change in your technology infrastructure. A new server or the disappearance of a known server. Servers moving around within the Active Directory structure. Changes to the technical infrastructure outside of the documented baselines must be investigated.
Unexpected system or data access can indicate nefarious activity. A normal end user logs in at 2:30am on a Sunday morning. An administrator remotes into a server outside of any scheduled maintenance. Any administrative access to a database. A workstation has a malware detection alert. An internal workstation is repeatedly attempting to connect to an unapproved site or in an unapproved manner.
So, if you are doing everything right, you should have a couple of incidents every month. Some months you will have a handful. By "doing everything right", I mean you have rock solid change control, robust system monitoring, and privileged user access controls. The reason you don't have any incidents is that you are blissfully unaware. You are unable to detect the tell-tale signs of a network intrusion. Your organization, like 69% of those hacked, will learn of your breach from an external entity.
There is an old adage that says you will only find that which you are willing to find. Having a security incident can be perceived negatively within an organization. It represents a failure and, in this environment, people are not very eager to uncover one. This mindset must be overcome. As I mentioned, it must be perceived as normal to have regular security incidents. Eyebrows should raise in the absence of these important indicators.
As you start managing incidents, use the situations to test and improve your incident response procedures. Focus on developing forensic capabilities to capture evidence and support possible legal action down the road. Attack each incident with enthusiasm and diligence. The next incident could be the real thing, allowing the opportunity to interrupt an active breach before any data is compromised.
Above all, perform after-action evaluations for each and every incident. The response to an incident could be a new policy or a change to an existing policy. It could be a reconfiguration of a device or a piece of software. It could entail training, HR or other action for an end user or an IT staff member. The point is that there is always a vulnerability somewhere and the Incident Management process allows them to be identified and addressed. Hopefully, they will be addressed as mole hills before they become mountains.