Improving Cyber Resilience: Top 5 Questions CISOs Should Consider
When cybersecurity experts talk about cyber resiliency, they’re talking about the ability to effectively respond to and recover from a cybersecurity incident. Many organizations don’t like to think about that — and it’s easy to see why. Many have invested heavily in tools designed to protect their networks from intrusion and attack, and planning for cyber resiliency means accepting the possibility that those tools might fail.
But the truth is, they might. In fact, they probably will. Even with the best tools on the market, it isn’t possible to stop 100% of attacks, which means it’s important to plan for the worst. In doing so, you can improve your cyber resiliency, which can significantly mitigate the damage caused by those inevitable attacks that manage to slip through the cracks.
Putting a plan in place that details how to handle a cyber-triggered business disaster is essential, but it isn’t always easy to get started. Here are the top five questions CISOs should be asking when it comes time to evaluate — and improve — cyber resiliency.
1. Do you have strong retainers in place?
It’s difficult — not to mention dangerous — to do it alone. There’s no shame in seeking out help from experts. In fact, it’s usually the smart thing to do. Most organizations (hopefully!) don’t have significant experience when it comes to dealing with cyber incidents, but there are many third parties that can provide invaluable guidance and assistance.
Do you have a good incident response retainer in place? What about a good cyber crisis communications retainer? These are not things you want to be scrambling for in the midst of a disaster, but having them in place in advance can help you respond quickly and effectively. A technical incident response firm can support and validate containment and eradication of the threat, while a crisis communications firm can help you coordinate both internal and external messaging. Communication can often make or break an incident response, so don’t overlook that element.
2. Do you have well-defined cyber incident response plans and resiliency playbooks?
A cyber incident response plan deals primarily with the security team’s categorization, notification, and escalation of the technical incident, but a strong cyber resilience playbook details the various resources and workstreams that need to be activated for a broad, enterprise-level response effort. Key stakeholders and decision-makers across internal and external counsel, public relations, disaster recovery, crisis communications, business continuity, security, and executive leadership should be involved in this playbook — who is going to lead which workstream and what will the decision-making process look like?
There may be decision-making thresholds you can pre-define. Ransomware payment is a good example, particularly with the continuous rise in ransomware attacks. Can you align in advance on when your organization would consider simply paying the ransom? Maybe that threshold is a certain amount of time without key business functions, or maybe it’s a dollar amount. Aligning on those decisions in advance can save significant time.
This is also a good opportunity to align on the decision-making resources that might be needed, such as out-of-band communications or deciding whether certain incidents need to be handled in person. Do you need corporate apartments that can be sourced through procurement? Are there other external relationships that need to be established? Having these discussions early can ease coordination across the whole enterprise.
3. Are you testing your playbooks and third-party firms?
You can’t just put policies and procedures in place. You need to test them. And that doesn’t just apply to internal parties — you can bring your retained firms in to conduct tabletop exercises as well.
For an incident response retainer, you might have them lead the security operations center (SOC) in a technical tabletop exercise. This tests the coordination between the SOC and the incident response firm to see how well they know the relevant procedures in the incident response plan and whether they can communicate effectively. For a crisis communications firm, try having them lead a management-level tabletop exercise, since the firm would be spearheading external communications and ensuring that everyone is aligned on the messaging. It can be helpful to work through that messaging in an executive tabletop.
Of course, these tabletop exercises can also be combined. The incident response firm and the crisis communications firm can be tested with a mock incident that escalates from the SOC all the way up to an enterprise-level concern. This can help gauge their response capabilities as an incident becomes more serious, as well as their ability to effectively communicate that response.
4. Do you have a strong grasp of your most critical business processes?
Maybe more to the point, do you understand the critical path for those business processes? That means the third-party applications, the underlying infrastructure, the data center locations, and other key factors that go towards producing those processes. Do you have backup processing methods? Do you have a manual process method that you can use in a pinch? Do you have offline contact information for your third-party vendors so you can quickly and easily get ahold of them in the event that your data is locked up?
These are all critical questions that organizations need to be able to answer in the event of an emergency. Understanding that critical path can help you know who to call and which business process needs to be activated during an incident. The last thing you want is to discover that the contact information for all of your vendors is stored on a server currently encrypted by ransomware attackers.
5. Do you have a disaster recovery plan in place?
Do you know clearly — and in what sequence — you need to recover data and infrastructure? Do you know the exact point of recovery? Do you know the recovery time objective for recovering that infrastructure data? Depending on the process, that time objective might be 30 minutes, or it might be a week. Knowing that answer is essential not just for setting expectations, but for planning your recovery effectively.
Business continuity and disaster recovery programs don’t just need to be in place, they need to be evaluated with failover tests. For example, if your system has regional redundancies, you might conduct a test in which one region fails and the system immediately falls over to another region. The security and disaster recovery teams can then practice recovering the data for the region that “failed.” This serves the dual purpose of both making sure the failover is working and ensuring recovery systems are operating as planned.
Hope for the best, plan for the worst
No one wants to believe they will be the victim of a cyber-triggered business disaster, but it’s always better to have a plan and not need it than to need a plan and not have it. But cyber resiliency is not something that can be “achieved” and forgotten. It needs to be maintained as the organization changes and scales over time. By keeping these concerns top of mind and conducting regular testing and tabletop exercises, you can help ensure that your resiliency remains strong even as the organization evolves.
Cyberattacks aren’t going away — if anything, they’re increasing in frequency and severity — but strong cyber resiliency can mean the difference between a quick recovery and a major disaster. Posing these questions to your security teams and relevant stakeholders on an ongoing basis can help ensure that resiliency remains a top-line concern for your organization.