Practicing Your Crisis Response: How Well Can You Handle Right of Boom?

“Plans are good — but practice is everything.” — PricewaterhouseCoopers (PwC)’s “Global Economic Crime Survey 2016

If there’s one thing 2017 taught us, it’s that we need to get ready for the inevitable data breach — especially regarding how we respond once we know about the “boom,” which is the time we first learn of a security event.

A new report by IBM’s Institute for Business Value (IBV), “Beyond the Boom: Improving Decision Making in a Security Crisis,” emphasized the value of conducting crisis response simulations for top leadership. The report comes amid increased global awareness about the likelihood and impact of cyberattacks, as evidenced by the World Economic Forum (WEF)’s “2018 Global Risks Report.”

Another positive development is the shift from a primarily defense-oriented mindset to a more agile approach to cyber resilience.

Why Is Crisis Response So Important?

As the IBV report pointed out, top leaders of breached organizations can expect to be “grilled” by lawmakers, shareholders and (of course) class-action lawyers. So, while the breach itself may not be an entirely preventable event, top leadership’s response can make or break a company.

A September 2017 PwC report noted that out of 164 CEOs surveyed around the world, 65 percent had experienced at least one crisis in the past three years. Also, nearly two-thirds of executives had experienced two crises, and one-fifth had experienced three.

According to the IBV report, a business has a one-in-four chance of being hit with a significant threat during a two-year period. A 2016 report conducted by the Ponemon Institute, and commissioned by IBM Resilient, found that 75 percent of organizations lack a consistent incident response plan.

The boom event is the realization of a breach. “Left of boom” refers to everything that happened before the breach was discovered, and “right of boom” represents what happens afterward (this is where an organization has a chance to mitigate the damage). Nearly everything that happens right of boom is under the organization’s control. Whether the response is handled well or fumbled miserably is up to its leaders, which is why it’s crucial to practice the crisis response plan.

Finally, the “2017 Cost of a Data Breach Study” conducted by Ponemon and IBM found having an incident response team was the most important factor impacting the per capita cost of a data breach, followed by the use of encryption and employee training.

Practice, Practice, Practice

The PwC report noted, “crisis management needs to be practiced so that people are clear about their responsibilities and who the decision-makers are.” At right of boom, organizations have very little time to regroup, deliberate and test out various response strategies. Instead, they must respond in nearly real-time and in the court of public opinion.

If your team didn’t put the plan into practice, would you be willing to bet your shirt on your leadership team’s response?

“Getting crisis response wrong goes beyond significant financial pain and affects reputation and relationships,” the PwC report asserted. Practice, while not necessarily reflective of future situations the team may face, can ensure the organization can work on creating an environment that supports quick decision-making during the crisis and clear communication with both internal and external stakeholders.

Listen to the podcast: Have a Plan, Practice It and Then Practice It Again

The Value of Crisis Simulations

For organizations that are only now starting to practice their crisis response plans, tabletop exercises might be the right level. However, those activities are no substitute for a full-on cyber range with phones ringing off the hook, real-time news and stock tickers, monitors and up-to-the-minute dashboards showing the systems impacted.

A good crisis simulation should feel like the boot camp phase of military training — a feeling of being put through the paces with the stress and fatigue, unknowns and self-doubt of a real-life data breach. It should also provide chances for participants to reflect and process lessons learned.

It’s important to note that executives are getting increasingly involved with crisis response preparedness and practice. According to PwC, board directors are asking questions such as:

  • Has the Board recently practiced its response to a cyber crisis, including with deputies?

  • Who has authority (training, decision-making remit) to respond in less than an hour?

  • Is the action plan for emergency management thorough, well rehearsed and effective (including with no IT)?

This is where the IBM X-Force Command Center (XFCC) crisis simulation center shines. In the XFCC, IBM can create a business-level crisis simulation that truly stands out. After all, a cyber event isn’t just about IT — it’s about the business and how well it responds.

The XFCC makes it possible for response teams to experience the unexpected twists and turns of a data breach in a controlled environment and learn how their reactions might enable or impede a good response. For example, as reported on the NBC’s “Today” show, members of the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently participated in an exercise that simulated a cyberattack against a fictitious bank.

What is the XFCC experience like?

“We have had over 1,300 customers come through the cyber range in 2017, and we focus on the importance of showing what great looks like and defining a security culture, organizing correctly to allow a resilient business response to a technical cyber incident and having the entire company focusing on reducing all aspects of risk,” said Chris Crummey, executive director of IBM Security X-Force Evangelism and Outreach and one of the masterminds behind the XFCC. “Another way to describe this experience is cyber best practices meets Game of Clue meets a Disney roller coaster ride.”

Ultimately, a crisis simulation enables an organization to pressure-test its incident response plans — including who has decision-making authority and who communicates what to whom — identify gaps, and improve strategy and tactics accordingly. After all, it’s much better to go through a series of practice runs than to be thrown to the wolves when the real crisis happens.

Take command of your security posture: Visit the IBM X-Force Command Center

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...