Cybersecurity Crisis Event? Here’s the 5 P’s I Learned at the Secret ServiceBy: Kevin Walsh, Sr Consultant IT Security
Everybody will experience a serious cyber incident eventually. It doesn't matter how diligently you try to keep the adversaries out of your business. Looming somewhere in your future is a Very Bad Day.
In fact, relying exclusively on breach prevention to keep your company safe could be a mistake. The only way to minimize your business risk as it relates to cybersecurity is to complement your preventive diligence with meticulous preparation for an eventual breach.
As an Incident Commander for Secureworks — and with more than two decades in the U.S. Secret Service that included protection details for both President Bush and President Obama — I've learned a thing or two about what to do in crisis situations. So, while a blog doesn't afford me nearly enough space to go into any detail, I'd like to offer five key points to consider when it comes to your organization's breach readiness.
Point #1: People
The first thing that may come to mind when you think “cybersecurity” is probably “technology.” But the truth is that your first order of business in a crisis is to address your people challenge.
People, after all, are the ones who are going to have to get things done in the next few hours and the next few days. You have to know who you can count on, what skills they bring to the table, and how to get them out of panic mode. If you don't start there, your response is going to be ineffective, inefficient, and slow — which means your business is going to incur more financial and reputational damage than it ought to.
Smart, perceptive people management will also continue to be important over the entire course of your response. If you're not careful, you'll push people past their breaking point — which means you'll lose them when you need them most. You'll need to have a leadership style that understands how to detect stress and ameliorate it when it threatens to interfere with your ability to achieve your response objectives.
Point #2: Priorities
If you've never been through a breach crisis, you may not fully fathom the level of chaos that ensues. All kinds of stuff can start going haywire — with your operations, with your employees, with your customers, with your suppliers, and with your executives. And of course, with your money. It can all be quite overwhelming.
The only — I repeat, the only — way to move from overwhelming chaos to optimal action is to rationally prioritize everyone's immediate objectives and actions. And, no, prioritization doesn't mean doing the biggest, most important things first. Sometimes it means doing little things first — because those little things are prerequisites for getting a big thing done correctly and safely.
For example, I've seen lots of organizations jump into action without first securing alternative communications channels. That's because they wanted to put out their biggest fire right away. Unfortunately, using compromised communications channels to neutralize and eliminate an adversary simply gives that adversary a better grip on your jugular.
Wiping drives and rebuilding servers right away is rarely a great idea, because nine times out of ten you'll pave over the very forensics you need to mount a proper defense. So, it's absolutely critical to do the right things in the right order.
Point #3: Parallel pathways
When you get hit by a cyberattack, your primary challenge will actually not be to neutralize the attack. The whole process of identifying the attack, evicting the threat actor, determining the scope of their impact, and restoring your environment to its target/normal state is in fact only one of the threads that you will have to unravel. There are many others—including appropriate engagement with employees, customers, suppliers, government agencies, and the media.
Your primary challenge is thus to sort out these separate but interrelated threats in order to effectively execute all related tasks in parallel.
This is no small order. Rationally orchestrating the activities of numerous people inside and outside of your organization is a bit like conducting an orchestra while a composer hands you the score of the symphony, you're performing one sheet at a time. Please do not undervalue the role of an incident commander. And please do not, under any conditions, assign that role to someone who already has primary hands-on responsibility for executing any of the individual threads associated with your crisis response — such as your cybersecurity lead or your VP of operations.
Point #4: Persist to prevail
The stages of a cybersecurity incident are a roller coaster. Like the ups and downs of an (unwanted) thrill ride, what you do and what you're likely to feel during the first hours of the crisis are different than what you will do and feel in the second week of the crisis.
It will therefore be important to help your people navigate those stages, both in terms of operational task lists and team morale. Yes, you will have to push people to perform far above their baseline at the beginning of your incident response episode. However, as noted above, recovery is a marathon — not a sprint. It will require not just individual perseverance, but also collective commitment to achieving the optimal outcome for all stakeholders.
The good news is that organizations can successfully prevail following what at first appears to be even the worst of Very Bad Days. I would go as far as to say that the primary variable affecting the ultimate outcome of an organization's recovery is not actually the magnitude of the attack itself—but rather the excellence of the recovery team's performance.
Point #5: Prepare
Chronologically, this point should obviously have been first. I put it last for a reason, though: I wanted to give you some idea of what it is you have to prepare for before I raised the issue of preparation.
I hope I was right. I hope that this little blog has given you sufficient impetus to move cybersecurity crisis preparation to the top of your to-do list for the quarter. And I hope that as part of that preparation, you reach out to me.
Please do not put all of your organization's “eggs” in the cybersecurity prevention basket. The empirical evidence is clear. You are likely going to suffer a serious cyber incident at some point. What's also clear is that the impact of that cyber incident on the future of your organization, your employees, your supply chains, and the rest of us is critically dependent on how well you prepare for such a contingency — and who you engage to assist you in that preparation. To learn more about incident response and how to prepare visit our Emergency Incident Response services.