A Journey in Organizational Resilience: Training and Testing

October 18, 2021
| |
4 min read

We are far from a breach-free world. After all, even cybercriminals have shown their own form of resilience. For example, after a short hiatus, the ransomware group REvil came back in September 2021. Until the day we can leave our ‘cyber front door’ unlocked, any organizational resilience framework you employ needs to include a healthy dose of training and testing.

Training and testing may get the “nice, but don’t have time” treatment, or worse, the “this is fluff” eye roll, but both are vital to your resilience. What if you are wondering how to prioritize these tasks? The Dwight D. Eisenhower decision-making matrix, also known as the Urgent/Important Matrix, is useful for this.

In the matrix, training and testing fall into the ‘Important, Not Urgent’ (or top right) quadrant. When tasks fall into that quadrant, your job is to start scheduling. Sticking to a regular training and testing schedule is key to success.

Do Champions Win Without Training?

Regardless of which cybersecurity framework you end up using, a serious one includes training and testing. Training and testing build muscle memory, locate gaps and help people learn. To reference President Eisenhower again, as a general, he said: “In preparing for battle, I have always found that plans are useless, but planning is indispensable.”

Training is part of your incident response battle readiness. Be honest: have you ever seen any pro athlete win a championship without serious training? Does a trial lawyer walk into a courtroom without preparing and wing it? Has a successful entrepreneur ever had failures? There are a few people, outliers, that have incredible natural gifts. Even they, like the rest of us mere mortals, must practice to be successful.

And for all you chief information security officers out there, your tech skills might have gotten you the job, but those same skills won’t always help you keep it. Your success is a function of your team’s success, and really, the organization as a whole. That means you, or your delegate, need to drive the security-minded corporate culture change. That can only come through awareness and training.

There may be another eye roll after reading that. “More fluff talk” perhaps is coming to mind. Yes, like governance, training and testing may be more on the ‘soft side’ of organizational resilience issues. But they are probably also the hardest issues to tackle. This is more true nowadays where the line between professional and personal usage of devices is somewhere between thin and non-existent.

Organizational Resilience Lesson Planning 101

The ‘people don’t care’ excuse only gets you so far. From a management perspective, if training is not yielding those muscle memory results, your lesson planning needs a check. How much have you learned and retained from a poor teacher, apart from that they were a bad teacher?

No matter how well-configured or orchestrated your infrastructure is, your only hope for a successful resilience program and incident response rests solely on people knowing what to do before, during and after the boom. That means some serious organizational resilience lesson planning is required.

Four Tips for Good Testing and Training

Four takeaways for you:

  • Timing. Schedule training on a regular basis to build muscle memory.
  • Mindfulness. Be mindful of people’s time. We are looking for basic survival skills here, not a dissertation on network connections.
  • Literacy. Make sure your lesson plan is at a grade 4 literacy. This is absolutely not a knock on who you are training. It is simply that cybersecurity resilience is likely not their main job. Anything that is not clear will likely be forgotten shortly after the lesson. You are going for muscle memory.
  • Appeal. Training can be boring. Make it fun and try different techniques, such as gamification.

That all sounds obvious, right? So why are breaches still happening? Why are threat actors using old tricks and showing great success?

It’s because people aren’t performing the basics and security-minded culture doesn’t exist. Knowing which data center or region you are supposed to fall over to or knowing the technical details of how all that happens, is great and needed! But if you do not know who the application and data owners are, or have not immersed yourself in your crisis communication messaging, or you do not know what your contractual obligations are, your best-laid plans are set for failure.

You Don’t Have a Plan Until You Test a Plan

Once you are confident that your people have adequate training, time to put everything to the test.  There are a few types of tests you can go through. Test type and frequency for organizational resilience should be based on how critical each business process and asset is. Here are some pretty standard options:

  • Notification/Validation. Before any extensive testing, make sure you are talking to the right people and have the correct assets tagged. You do not want to perform a business process transfer only to find out the owner of that process left the company three months ago. This test is simply to make sure you have the correct information.
  • Walkthrough. Think of this as ‘test by script’ and even a great way to train and build up that muscle memory. This might be boring, but you need to know which routes you are running before you hit the field.
  • Tabletop. A controlled environment that makes you think. You are not exactly knocking stuff over on purpose yet, but you are thinking through the challenges. And, where possible, use an incident that represents what is going on in the world. If everyone is getting hit by malware, that meteor strike scenario may be right.
  • Functional. All right, let’s knock it over and see what happens. Are we actually meeting our Recovery Time/Point Objectives or are they just fantasies?

What Comes After Testing in Organizational Resilience??

Remember your lesson planning? Well, you need to capture and act on your findings after the exercise so you can tweak both your lessons and your resilience plans. The best place to capture those findings is in an after-action report. Think of it as an ongoing improvement cycle that helps you keep up with the latest threats while reducing your risk profile at the same time.

In the next piece, we’ll change gears a bit and focus on privacy.

George Platsis
Senior Lead Technologist, Educator and Author

George Platsis works with the private, public and nonprofit sectors to address their strategic, operational and training needs, focusing on projects related ...
read more