I’ve attended a number of great workshops, webinars, and other events this year that address this growing topic of interest for all businesses and organizations. We’ve all grown too accustomed (and possibly desensitized) to the news story about another data breach by a Fortune 500 company or other large organization. We know that cybersecurity is a significant risk for each one of us. We hear about great solutions and services in the marketplace to address this risk. But how many of us are more focused on preparation, monitoring, and risk mitigation than on actual response? If so many of the largest companies in the world have responded to their own data breach in spite of their complex and multi-layered defenses, it’s just a matter of time until the rest of us are faced with this crisis. We need to plan for a cyber response just as much as we need to prepare for, implement, and monitor our cybersecurity defenses.
Cybersecurity is not just an IT issue
Many organizations that we’ve engaged with relegate the topic of cybersecurity to the IT department alone. The reality is that during a cyber incident, it quickly becomes “all hands on deck” for all departments. If a cyber incident took place at your organization, how many of the following departmental issues would need to be addressed?
- Legal – contractual, legal, and regulatory issues associated with response actions and communications to customers, media, and regulators
- Finance – coordination of insurance policies and claims, approval and payment of unbudgeted and costly response and remediation expenses, resulting in adjustments to financial forecasts and budgets
- HR – managing internal communications to employees, what they can say, what they can’t say, and addressing all sorts of questions and concerns while trying to keep top talent from fleeing
- Customer Service – fielding much higher than usual call volumes from customers about social media rumors, actual news stories, and other reports about the incident impacting their services or data
- Sales – devising strategies and messages to respond to prospect’s concerns over the incident and how it will affect their decision to buy your services or products
- Marketing/PR – managing communications and strategic messaging on social media, in the press, and preparing executives for interviews
There are other departments that could be impacted as well, and that’s before we even consider the impact to the IT department trying to troubleshoot, respond, and resolve the root cause of the cyber incident.
Planning for a Coordinated Response – Tabletop Exercises
A good cyber incident or data breach response plan should include the coordination of activities, communications, and information among all of the departments listed above. The challenge that we all face is – how do we get them all on the same page to even begin writing a plan? The answer is simply a tabletop exercise.
I have facilitated dozens of tabletop exercises this year covering a broad range of topics and scenarios, and cybersecurity is quickly becoming the most popular topic. In my experience there is no better or more effective way to bring everyone together to understand their role and to define their responsibilities that will be required during a cyber incident.
An effective cyber incident tabletop exercise should include the following elements:
The right participants – make sure you include the right representatives from each department that will have a role to play during an actual incident. While the above list of departments is a good starting point, consider other departments that may have a role to play in operations or other areas of your organization. Certainly include the required IT representatives, but make sure the other departments have the right people at the table.
The right time – set aside enough time for an effective exercise. In my experience, that’s a minimum of 3 hours and should be 4 – 6 hours. It sounds like a lot of time but if done correctly it will be highly engaging and valuable. People should leave with a clear understanding of their roles, responsibilities, and issues that they need to address to set them (and the organization) up for success during an actual cyber incident.
The right objectives – define exactly what is that you are trying to accomplish during the exercise. Is it to define the roles, responsibilities, and tasks for each department as the foundation for developing a response plan? Or are you trying to identify and resolve any gaps in an existing plan? Other objectives could include focusing on coordination between departments, developing communications messaging, or determining which external resources may be required.
The right scenario – develop a realistic scenario that will achieve your objectives within the allotted timeframe. Make sure you include scenarios and questions for each of the departments participating in the exercise. You don’t want to have anyone sitting around with nothing to do, so be intentional about the scenarios to cover the likely issues of concern for each of your participants.
If you check all the boxes above, you are well on your way to a successful tabletop exercise that will initiate or accelerate development of your cyber response strategy and plans. People should leave the exercise with a clear understanding of the identified gaps, issues, and action items identified during the exercise so work can begin immediately to address these items. The good news is that most people leave these tabletop exercises motivated to actually tackle the issues and action items that were identified. By placing them in the middle of the fictional crisis, it elevates their attention and engagement. It’s the reason why these tabletop exercises are so effective.
Finally, there is one important element that I intentionally omitted from the above list for your tabletop exercise – the right facilitator. You need to find the right person to facilitate your exercise who is experienced and capable of keeping everyone focused, on task, and preventing the entire exercise from running off the tracks. You might have this person in mind in your organization today, or maybe you are that person. But if you need help, please contact us for more information. As a Master Exercise Practitioner, I’d be happy to help you develop, design, and facilitate your tabletop exercise. Either way, be sure to schedule a tabletop exercise soon. Past experience has demonstrated that it is the best way to engage the various departments on this important topic and increase your organization’s cyber resilience.
Last year the South Carolina Emergency Management Division (SCEMD) launched a series of workshops to promote business emergency preparedness to the private sector. Atlantic’s founder and principal, Scott Cave, agreed to partner with SCEMD in facilitating these workshops, but instead of using the typical lecture workshop to convey the preparedness message, he recommended an interactive series of hurricane tabletop exercises. Mr. Cave has achieved the Master Exercise Practitioner designation through FEMA’s Emergency Management Institute and leads dozens of exercises each year for Atlantic’s customers and in various workshops. SCEMD agreed to this interactive format and launched a Coastal Resilience Exercise series in Charleston, Georgetown, and Horry counties. Mr. Cave designed and facilitated the exercises to wide and diverse audiences of businesses between August, 2017 and April, 2018.
On June 12, 2018, Mr. Cave was invited to the SCEMD headquarters in Columbia, SC to receive the State Commendation Ribbon in recognition of these efforts. The commendation reads as follows:
“Mr. Scott Cave is commended for notably superior devotion to community and exemplary performance of duty as a Senior Facilitator for the South Carolina Emergency Management Division’s Coastal Resilience Exercise series for the period 25 August 2017 through 25 April 2018. Mr. Cave personally developed and was instrumental in the delivery of three separate tabletop exercises designed to promote emergency preparedness and continuity for the private sector in Charleston, Georgetown, and Horry counties. Mr. Cave’s broad wealth of experience and expertise in business disaster planning, coupled with his unparalleled willingness to volunteer personal time and hours from his own business to share critical best practices has greatly advanced the level of disaster preparedness of South Carolina’s coastal business community. Scott Cave’s superior performance brings great credit upon himself, the South Carolina Emergency Management Division, and the Military Department of South Carolina.
Signed R. Van McCarty
Major General, SCARNG
Deputy Adjutant General”
We at Atlantic are honored by this recognition and appreciate our ongoing partnership with the South Carolina Emergency Management Division. We look forward to working with SCEMD as we explore the possibility of extending this series of workshops and exercises over the coming months.