Steve Durbin is Chief Executive of Information Security Forum. He is a frequent speaker on the Board’s role in cybersecurity and technology.
If a 3 a.m. phone call alerts you to a serious data breach, time is your enemy; you need to have the confidence and assurance that your organization will be able to contain, respond, recover and restore business operations to normal as soon as possible.
In such a scenario, what does preparedness look like? For starters, your team is mobilized and ready; you have the right procedures and playbooks to follow; you have adequate support from a technology and a stakeholder perspective; and you have the right information to make informed decisions and guide the business through to recovery.
So-called cyber exercises are the cornerstone of any cyber resilience strategy. They ensure that organizations are prepared, adaptable, responsive and resilient in the face of ever-evolving cyber threats. From my experience in cybersecurity and technology, incorporating these five elements will make your cyber exercises more effective:
1. Governance
Governance is all about accountability and ensuring that your organization sets expectations on how it should behave and operate under adverse conditions such as a major cyberattack.
The exercise must help verify if a robust governance framework exists (is there a playbook, a flow chart, an action plan available?) and whether everyone involved—from technical teams to leadership teams to third parties—understands their specific duties and the need to communicate in a timely manner. The governance model must also account for succession planning—who can step in as a deputy when key personnel are unavailable? It must also ensure that any applicable compliance or regulatory obligations are not omitted or overlooked during the response process.
2. Decision Management
Closely related to governance is decision management. A number of key decisions will present themselves at various stages of the incident.
There will be technical questions: Should we pull the plug? There will be operational questions: Should we continue delivering services and products to customers? What is a minimally viable operation? What are the minimum requirements that customers expect or actually require? There will be business decisions: Will we have to stop delivering services? Will we have to shut down part of the business?
There will be escalation thresholds. At what point should critical decisions be made? These are all major decisions with no perfect answer. Businesses must ensure they take these into account when preparing executives for simulation exercises.
3. Process
Process is all about the procedures that different stakeholders will undertake before, during and after a cyber incident has taken place. Clear processes that highlight the response procedures, the responsibilities of key individuals and the appropriate communication channels will not only help minimize the impact but also aid in swift and efficient recovery.
A structured response process will help ensure that important steps, such as root cause analysis, regulatory reporting and evidence preservation, are not overlooked. How you communicate with internal and external stakeholders—the medium, the formats, the cadence—all of these things become imperative when it comes to resilience and dealing with major incidents. Always ensure that such procedural components are tested in your exercises.
4. Stakeholders
When an incident goes down, multiple internal and external stakeholders will be involved: employees, customers, business partners, insurers, regulators, government representatives, law enforcement, etc.
Cyber exercises must, therefore, evaluate response mechanisms using a stakeholder lens. Different roles and relationships of various stakeholders must also be tested in an incident response process.
For example, some might have a special relationship with a business partner, a customer or supplier that needs to be managed differently than the rest. In some scenarios, customers have to be contacted before an organization goes to market and talks to media.
Whether the organization has a stakeholder map readily available is also something worth assessing; a stakeholder map offers direction on which individuals need to be engaged and the best channel for communication.
5. Technology And Data
If an organization doesn’t have adequate visibility and understanding of its data, systems, tools or technological assets, then it can cause a major challenge when these systems actually go down. In the absence of such visibility, it’s difficult to understand the priorities, the dependencies and the significance of that infrastructure to business operations.
During an incident, one will often find their primary email and collaboration tools are inaccessible. Therefore, the business may require a secondary platform. Cyber exercises must account for such scenarios. Organizations may be required to have secondary and tertiary mechanisms or infrastructure in place in the event that control is lost on the main infrastructure.
Another big one is data, an area often overlooked in exercises. Data does not mean business information that is transactional or supporting business operations and services; it also means security data, metrics, telemetry or any kind of data that is required in a response scenario to facilitate rapid decision-making by key stakeholders.
Running a cyber exercise that’s simply lifted from an online template may seem like an easy way to check a box. While such exercises might cover basic scenarios, I find they rarely simulate the complexity and unpredictability of a genuine cyberattack.
Using the five elements described here, organizations can go beyond generic templates and design exercises that reflect business processes, critical assets and vulnerabilities, revealing their actual cyber preparedness.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
