“Plans are of little importance, but planning is essential,” (Churchill)
By Callum Moore, Practice Lead, Cyber Simulation and Incident Response, Information Security Forum
High-profile cyberattacks make news headlines every week, underscoring that no business is exempt. Consequently, it is smart to get aggressive with planning for the high likelihood of a security incident. This calls for determining your response strategy, protecting your critical data and knowing how to get systems fully restored.
The problem is that most organisations (72%) are not specifically investing enough in cyber resilience.
What’s Holding Organisations Back?
It’s not that boardrooms aren’t concerned about cyber resilience. Boardrooms certainly care about understanding their exposure to cyber risk, the business’s ability to defend against cyber threats and the implications not just on the business but also on themselves, fearing increasing liability from cybersecurity incidents.
The real challenge lies in securing commitment from senior management and preparing their readiness for cyber incidents. Hard to believe, but 48% of corporate leadership avoid responsibility for cybersecurity.
The Role of Cyber Exercises in Cyber Resilience
It’s pretty obvious: if you’re a leader and neither you nor your team will be held accountable in the event of an incident, then it’s understandable that cybersecurity won’t be a priority for you.
The onus is therefore on the security team, especially the CISO, to illustrate worst-case scenarios and the potential financial impact on the business. This is where cyber exercises such as phishing simulations, incident response drills, red team vs. blue team, and table-top exercises take a lead role.
The purpose of running cyber exercises is not solely to evaluate staff and stakeholders on their security preparedness but also to pinpoint where security gaps and vulnerabilities exist, and how they can disrupt business operations and continuity. This is where the realisation hits, and where enthusiasm for fixing the problem is found. Using cyber exercises, security teams can shine a light on security issues, highlight ways to address them, and gain commitment to follow through.
Getting Corporate Leaders to Participate in Cyber Exercises
Building consensus is the first step. If a board member or chief executive can exert influence on senior management then things can move along fairly quickly. Next, run a simulation. Security incidents are a multi-dimensional challenge – there’s internal and external communications (investors, employees, regulators), protocols and recovery playbooks to be tested; multiple departments (HR, legal, marketing) need to be involved, and all scenarios must be considered.
Once the exercise is complete, measure results so that the business can gain an understanding of how resilient its people, processes and technology are. Metrics can be a useful tool for providing assurance that cybersecurity controls and playbooks are proving effective. Benchmark results with industry peers, as this can help leaders make more informed decisions about their risk profile. Conducting cyber exercises is not something you do and forget. They need to be run annually, much like any auditing.
If your organisation has experience in running cyber exercises adopting these best practices will help further efforts. For organisations with little experience running cyber exercises, we recommend seeking dialogue with experts and your counterparts, join analyst associations that are fluent in risk management, provide benchmarking data and guidance on running simulations. There you will find useful strategies with like-minded individuals who share the same concern for the importance of cybersecurity. Attend webinars and conferences, learn of emerging threats on the horizon fueled by AI. Share war stories and collaborate on joint solutions.
Book time with Callum Moore of the Information Security Forum or contact
[email protected]
www.securityforum.org/meet-the-experts/callum-moore
