Kevin Beaver's Security Blog

Embracing Incident Response at Petit Le Mans: A Positive Outlook for Cybersecurity?

At the Petit Le Mans race this past weekend, the TV announcers couldn’t stop talking about incident responsibility. Apparently, the International Motor Sports Association (IMSA) made it clear they’re done tolerating sloppy driving. [SIDENOTE: I certainly had my fair share of that back when I raced – like this example]. The rules of racing have always been there; now IMSA says they’re finally going to enforce them. Zero tolerance. No excuses. Yay…I think… This change in attitude reflects a growing trend in sports and other high-stakes environments where accountability is paramount. Just as in racing, where a split-second decision can lead to disastrous consequences, in the world of cybersecurity, the results of negligence can be equally catastrophic.

That struck a chord in me because it’s exactly what’s missing in information security. We’ve got plenty of rules – PCI DSS, HIPAA, policies, audits – you name it, but when a real incident happens, most organizations fall short or miss it altogether. Everyone’s great at prevention until something breaks. Then it’s panic mode. This is akin to a team of drivers who may practice diligently yet falter under pressure during an actual race. In many ways, incident response is like the pit crew during a race; they need to be prepared to act swiftly and efficiently when an incident arises, rather than trying to figure out their roles in the heat of the moment.

I’ve said it before: it’s one thing to be proactive, but you still have to prepare for the reactive side of security… the things you’ve overlooked. You can build the biggest and best firewall on earth, encrypt every drive, and check every compliance box, but once the incident occurs, none of that matters if you can’t respond. This highlights the importance of training and simulations; a successful response requires everyone to know their roles and responsibilities well in advance. Just like racing teams conduct drills to prepare for every possible scenario on the track, cybersecurity teams must engage in thorough preparation to handle incidents effectively.

In racing, when there’s a crash, everyone knows what to do. Officials review the footage, assess responsibility, and apply the rulebook. No one enjoys penalties, but everyone respects consistency. That’s how you maintain order and credibility in the sport. The same principle applies to cybersecurity incidents: having a clear, consistent process for addressing breaches not only ensures accountability but also builds trust within the organization and with clients. Transparency during these processes can be a competitive advantage, letting stakeholders know that you take security seriously and are prepared to act when necessary.

Security incidents should be handled the same way. Just as drivers rely on their teams, security professionals must depend on their processes. An organized response plan can prevent chaos and confusion, allowing teams to address incidents promptly and effectively. This is not just about having protocols in place but also about ensuring that everyone understands them. Regular training and drills should be mandatory. Just as a racing team wouldn’t skip practice, organizations can’t afford to ignore their incident response training.

When your systems go down or data gets exposed, do you have a process, or are you winging it? Who’s calling the shots? Who’s talking to leadership, customers, and the media? You can’t make these things up as you go. Well, you can, as most do…but, still. If you don’t already know your roles in incident response, you’re not ready. Consider the chaos that ensues when a race car crashes. The pit crew is already in motion, ensuring that everything is handled according to the rules. They have predetermined roles, which allows for a swift response that minimizes damage. Similarly, having defined roles in cybersecurity can make all the difference between a minor incident and a catastrophic breach.

IMSA’s approach – consistent rules, enforced fairly – is exactly what’s needed in business. Not another tool, not another framework, just willingness and discipline. If you let bad habits slide, you’re building your own incident – literally every day. If you can’t enforce your own policies, why should anyone take them seriously? A judge or jury likely won’t. This is a crucial point: enforcement is not just about rules; it’s about fostering a culture of accountability. In high-stakes environments, such as racing and cybersecurity, accountability can mean the difference between success and failure. Organizations should strive to create a culture where every employee understands the importance of their role in maintaining security protocols.

Here’s the reality: incidents happen both in racing and in security. You know the whole “not if but when” thing. The best teams – on the track or in the SOC (internal or your MSP/MSSP) – aren’t the ones with the fanciest gear. They’re the ones that have practiced, reviewed, and learned from their mistakes. This is where the importance of post-incident reviews comes into play. Each incident should be a learning opportunity, allowing teams to refine their strategies, improve their processes, and ensure they are better prepared for future incidents.

You can’t secure what you don’t acknowledge. You certainly can’t respond well if you’ve never tested yourself under pressure. Do you have an incident response plan (<= check out my guide on this)?. Have you done the incident response tabletop exercises necessary to learn and know how to respond like a true professional? These exercises simulate real incidents, providing teams the chance to practice their response in a controlled environment. The more you practice, the more confident your team will be when a real incident occurs. Remember, just as racing drivers simulate various track conditions to prepare, security teams must do the same for potential breaches.

IMSA is finally enforcing its rulebook. What novel idea but great lesson, nonetheless, for those running a security program. The enforcement of rules isn’t just about punishment; it’s about promoting a culture of accountability and preparedness. Just like racing, an organization that emphasizes responsibility and proactive measures is better equipped to handle the inevitable challenges that come its way. In the end, the key takeaway is that both in racing and in cybersecurity, success hinges on preparation, accountability, and consistent enforcement of rules.