Despite the rising volume and increasing sophistication of cyber attacks, most companies don’t have an incident response plan in place or do not practice the plan on a regular basis. Seventy-five percent of respondents who were surveyed by IBM and the Ponemon Institute in 2016 admitted that their organizations do not have a formal cybersecurity incident response plan in place.
A proven way for hardening an incident response plan is by conducting an incident response exercise or a cyber war game. These exercises can test the readiness and responses of C-suite executives as well as employees across the company. For instance, a simulated cyber-attack can enable an organization to evaluate and fine-tune its responses to external forces such as media inquiries regarding a cyber-attack for legal and corporate communications teams to address.
Drawing on his extensive experience as Global Chief Information Security Officer at MetLife, AIG and most recently at BUNGE LTD., Dr. Robert Zandoli said that the deployment of cyber war games is imperative to an organization and its leaders in developing a well-designed, comprehensive response to a cyber-attack.
“I’ve been doing this for many, many years. The exercise is scenario-driven and the objective is to make crisis management a reflex like muscle memory,” Dr. Zandoli explained. You may test a breach of the crown jewels (critical information assets), the effect of an attack on operations (DDoS) or a third-party connections breach. You must have relationships (i.e., contact information) with law enforcement and other agencies and simulate engaging them in the exercise. Everything should be documented and practiced to build upon muscle memory so you can react and act quickly on critical, high-stakes, time-dependent decisions.
Including corporate functions and senior executives including C-level leaders is a critical element of these exercises. One of the top benefits of including senior leaders is that it shows that the threat of cyber-attacks is a real threat to the organization and is a risk that must be managed and understood at every level of the company. Involving senior executives helps to gain support for these exercises and the cybersecurity program.
“It underscores that the cyber threat is real and reinforces the message that these threats are plausible. It also emphasizes that cyber-attacks can and will happen and that you must have the entire company involved,” explains Dr. Zandoli.
For fellow CISOs who are considering the use of cyber war games, Dr. Zandoli said it’s extremely valuable to obtain an executive sponsor. For example, the Chief Risk Officer or the General Counsel would support their proposal to senior executives.
From his experience, Dr. Zandoli has also discovered the benefit of interviewing each participant - including the C-suite - before the cyber war game exercise. This has two purposes: 1) to gain important information about the business operation and assets to help develop the scenario and 2) to explain how the game will be conducted. They should understand that it’s a no-fault environment - i.e. it is a learning experience - and to understand how the exercise itself will be conducted. Also, there are certain artificialities - e.g. the exercise in conducted in one day whereas a cyber-attack may take six months to develop. All participants are instructed to accept the scenario as real. They are reminded that this is a simulation and that it is a controlled environment and that all their actions will be simulated. For instance, a conference call with the press will be simulated and not actually occur.
Once a cyber war game exercise is underway, all participants will react to various information (injects) as they would in a real cyber crisis.
All activities will be documented by a scribe and reviewed in a separate meeting which is an exercise retrospective or post-mortem. All actions will be reviewed to identify any gaps in a company’s incident response plan and documentation so the crisis manual(s) can be updated.
“A good incident response is critical in reducing the impact of a cyber-attack to protect the assets, operations and reputation of the company,” said Dr. Zandoli.