So far in this organizational resilience journey, we have focused mainly on the planning phase, or, as some call it, ‘left of the boom’. For a moment, let’s look at a ‘right of the boom’ (post-incident) theme: crisis management (CM), an important component of your cyber resilience planning.

A good CM plan will be part of a larger governance cybersecurity framework (a topic that we look at in the next piece) and has an emphasis on a vital attribute: communications. Carrying out a CM plan requires knowing roles and responsibilities, when to escalate, when to act, and what (and what not!) to say.

How Cyber Resilience Is Like a Movie

Imagine an incident or cyber resilience crisis to be like a movie. First, you will be introduced to characters (roles). Then, you will learn to understand how they interact (responsibilities). You will then see them respond to an incident (escalation). And finally, see how they respond (act).

In your typical CM plan, your cast of characters will include your security operations center analysts, incident response (IR) team members, supervisors, the chief information security officer, the C-suite, board, general counsel, communications staff and even external partners (think public relations firm, external counsel, external IR consultants, third-party vendors, law enforcement and even news agencies). All these characters have a role to play.

Let’s go back for a moment to the governance issue. If you are running in a disparate manner, the phase after the incident will feel like chaos while your precious data is being stolen or destroyed. It’s like a movie with no script, no character arcs, and the only thing you know for certain is that something bad will happen.

A Boring Movie Is a Better Movie

CM planning is like writing a movie script. Sure, you may make some changes along the way, but for the most part, the story is set. Your CM plan maps out:

  • Roles and responsibilities
  • Interactions between parties
  • Escalation measures and decision matrix
  • Activating involvement
  • Messaging
  • Reporting.

With all this mapped out so well, you may be wondering ‘why am I watching a movie if I know what’s going to happen?’ That’s the point. Boring is your friend when it comes to cyber resilience. You want your CM process to be more like a sleepy, lame comedy with bad, anticipated jokes as opposed to an edge-of-your-seat, crash-boom-bang, universe-obliterating action movie.

Know Your Role and Figure Out How to Interact with Others

Unlike the movies, real life does not have a hero that will handle all crisis management tasks. If there is ever a time for a team game, right of the boom is it. You don’t want a deer caught in the headlights moment or a turf war; or worse, a mix of both. Therefore, know your characters and understand how they interact. In a previous piece, we noted the importance of exchanging business cards prior to the incident. Do that.

Remember this: a crisis will be stressful and it is very likely you will run into a resource crunch, or, worse, staff burnout. A crisis is not the time to play the hero. By assigning responsibilities, not only do you know who is supposed to cover what, you benefit from two important points:

  • You can spot existing resource gaps
  • You can find areas that will require surge support.

You’re preparing for a right of the boom problem, but, in the process, improving left of the boom posture. That’s a double score!

Without defining roles, responsibilities, interactions and communication, you ‘don’t know what you don’t know’. Start figuring this out and get everyone on the same page for better cyber resilience.

Escalation, Decisions and Cyber Resilience on the Screen

‘Best judgment’ is bad judgment in the case of escalation. In fact, you want the exact opposite when it comes to cyber resilience. Understand your organization’s legal and regulatory requirements and start building your escalation requirements from there. For example, the Security Exchange Commission (SEC) is coming down hard on disclosure requirements. Recent settlements and Consent Orders are highlighting this issue. Do not get caught flat-footed. Breaches are bad, and SEC investigations and fines make them worse.

Understand that sometimes you may only have 72 hours to get in front of a camera or file a Form 8-K if you are a publicly traded organization. Therefore, you want your escalation and decision-making process as repeatable as possible. Through this process, you’ll know when to activate your crisis communication staff, when to engage your external counsel and all the other ‘fun’ stuff. Remember, boring is your friend. Narrow the surprises to the incident, not to the process.

Pro tip: CISOs, your soft skills during a crisis will be vitally important, so get to know the cast and the business very well.

Scripts and Aids for Cyber Resilience

When emotions are running high during a crisis, the last thing you want to do is scramble. Therefore, scripts, sometimes known as holding statements, help boost cyber resilience. The same is true for job aids, tailored to specific roles. Think of these as cheat sheets.

  • For holding statements, you want to work with your crisis communications team to ensure they make these detailed enough to get the necessary — and right — information out to the appropriate stakeholders (internal and external). But make sure these statements are not so rigid people can’t adapt them to the crisis. Remember, you need messages for all types of platforms your stakeholders normally use. If your stakeholders use phone calls, social media blasts may not work.
  • For job aids, it’s like handing your cast a memory card that lists out very tactical ‘do this’ type activities. Think one or two pages max, with all vital information, such as contact information, roles, responsibilities and decision options, there.

Test and Update

Testing and training is a theme that will receive its own piece later in the series, but you absolutely need to run the cast through the wringer in some sort of regular fashion to build up muscle memory.  There is also an added benefit: you can update your plans, especially if there have been changes in personnel and contact information.

No cybersecurity resilience framework or business continuity plan is complete without a crisis management plan. It’s the first plan you will activate right of the boom and it’s critical to cyber resilience, so get it right. After all, getting it wrong is costly.

In the next piece, we will look at the importance of governance, ensuring an organization is operating in lockstep.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…