Cyber-attacks are some of the most complex, common, and challenging risks for modern organizations. They’re happening at such a rapid pace now; organizations can no longer sit back and think about what they might do if they experience an attack.
Today, focus must be on developing adaptable and flexible resilience plans that ensure confidence in your organization’s ability to respond when one (or multiple) attacks occur.
That’s what we talked about recently with Jim Kastle and Mark Eggleston during our seventh episode of season two of Castellan’s podcast, “Business, Interrupted.”
Kastle is the chief information security officer (CISO) of Kimberly-Clark and Eggleston is the CISO of CSC.
The two shared their thoughts on cyber resilience, why it’s important, and how it has evolved into an imperative for all organizations.
The Changing Role of the CISO
When it comes to resilience management, the role of the modern CISO is constantly evolving.
Today, CISOs can no longer be exclusively technology-focused. Instead, they also have emerging responsibilities directly related to business continuity and disaster response.
For those that have been involved in the security operations center (SOC) arena, it’s something they may have seen coming.
That’s because security, in many forms, also includes resilience. It also includes key resilience strengths such as the ability to collaborate between teams and executives, as well as being able to work well with external parties.
“I think the CSO plays more of a role than ever in resilience for a lot of reasons,” Kastle said. “Many of our resilience impacts in corporate America are driven by cyber incidents, which automatically necessitates a CSO engagement; whether you own business continuity or disaster response or not, doesn’t really matter. The issues are frequently cyber-driven.”
In our current operating environment, most organizations have had some type of impact from a cyber event, even if it’s indirect. That’s one of the many reasons why it’s critical to have effective cyber response capabilities within every organization.
“Resilience thinking is really, really helpful,” Eggleston explained. “You’re always thinking about all the negative things, and so you can then start to hypothesize certain controls and ways to bolster that response or make that control a little bit more stable, more resilient, so to speak.”
Many security professionals, especially those who may have served in the military, for example, often already have this mindset. They often already know how to execute what needs to be done while keeping calm.
“And I think that’s a really, really good, important thing, when you’re going through these responses,” Eggleston said.
For those who might not have that same experience, you can develop it through routine testing and exercises.
“You really start to see a lot of the things that come out there and people getting stressful because you have to make decisions with very limited information,” he said. “And I think that’s where a lot of us shine again, because we have frameworks that helps us make some of these decisions and concede the known unknowns and the things that we do.”
Kastle agreed, focusing on the importance of awareness and the ability to respond with effective communication.
“You’ve got to be clear about communications and the fact that response is underway,” he said. “I think something that Mark said, which is … pivotal: You’ve got to have an instant response.”
And that response should be tested, tried-and-true, not made up on the fly.
“Practicing making decisions with limited information, those things, they’ll never get old,” Eggleston added.
As you go through these processes, you’ll likely discover more and more gaps, which you’ll have the opportunity to close before a real-world incident occurs.
Effective Cyber Response Capabilities
But cyber-attack preparedness goes beyond just testing and exercises. Mature programs should also identify some of the external resources needed for effective cyber response capabilities.
That might include adding a forensic team on retainer. Why? Because if you’re trying to get a forensic group involved in the middle of an incident that may be challenging.
It’s also important to utilize the relationships you’ve built along the way with your peers, especially those within your industry.
“We are not the bastions of perfect knowledge and we should be learning from each other,” Kastle said.
Among the benefits of working with these peers are some competitive advantages. For example, you may garner insight into the types of things to look up for so you can build a response strategy in advance instead of reacting on the fly.
When you realize an event is underway, this is the key time to initiate response, not shuffle through your contacts trying to figure out who’ll you’ll contact and what you need to do.
“Because that way, they’re going to be more apt to get back to you at a very tight timeline,” Eggleston said.
And, don’t forget the involvement of legal counsel in your planning, both internal and external.
It’s also beneficial to have a solid understanding of your executive and key stakeholder expectations regarding your capabilities.
“I would start there, making sure that you understand where they’re coming from, “ Eggleston said. “And what’s important to them.”
While your key stakeholder may have a technology background or stay up-to-date on the latest cyber-attack headlines, often board level questions are high level. They want to know answers to questions such as:
- How are we doing?
- Are we better than our competition?
- What do you need from us?
- Is there anything else that you need?
Being able to effectively answer these questions and align those answers directly with your organization’s strategy is a critical part of building stakeholder engagement and support for your cyber response program.