In our recent blog, we discussed different cybersecurity incident scenarios you can test. In this blog, we’ll discuss the benefits of these types of exercises and how to get approval.
Why Are Cyber Exercises Useful?
Some of the benefits of cyber exercises include:
- Understanding actual versus perceived capabilities of people and technology
- Figuring out where to invest budgets in training or new technology
- Building muscle memory and reducing stress for security teams and management
- Improving morale and team building
- Meeting regulatory requirements
Let’s take a look at each of these in more detail.
To be effective, cyber exercises should focus on the entire organization and how well the interdependent parts work together. Organizations have to consider their customers, the user community, third-party vendors, and partners, as well as their business needs. They also have reporting chains and approval requirements.
Scoping a cyber exercise to include all these components is critical. It helps measure the responsiveness and sustainability of the relationships to validate or improve procedures and policies. Instead of just reviewing them in a room filled with stakeholders who would rather be at lunch or sending them out in an email that people may or may not read, you can actually apply them in a simulation to see how well they represent the needs and goals of the company.
To use a sports analogy, a team that sweats together in practice sessions learns how to work together and learns how to rely on each other. The daily frustrations are lessened through understanding, and familiarity with each other adds to the sense of belonging in a team. Cyber exercises can improve morale and build a sense of teamwork that extends beyond the security and IT operations staff.
Depending on your industry, you may have regulatory requirements that can be met through a cyber exercise. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires training for all personnel that handle Protected Health Information (PHI). The requirements for data storage and protection fall directly on the cyber team. A cyber exercise can and should include these requirements to meet the regulatory requirements.
Getting Approvals for Cyber Exercises
We’ve discussed some of the benefits of cyber exercises. Now let’s talk about getting the necessary approvals. The two items that need to be considered are how to get approval and at what level. It may seem that these two tasks are one and the same, but treating them as separate tasks results in a repeatable process.
Let’s start with determining who needs to approve the cyber exercise. If you don’t know who ultimately has the power to green-light the exercise, you can’t get proper approvals. Start with the reason(s) you want to have the exercise. Use that information to determine who has to participate and whose participation would contribute to the exercise.
For example, cyber staff is required. Will the Incident Response (IR) team be required, too? If IR is required, is the legal department required to support the IR tasks, or can their participation be simulated? Once this list of players and support roles is developed, it’s much easier to figure out who can authorize all these various groups to participate and how far up the org chart you have to go.
Once you’ve figured that out, the next step is figuring out how to get approval. You will need to develop the justification for the exercise. Use the ideas in the section above. Add cost estimates, list the participants, and determine relevant metrics and goals. Include any industry regulatory requirements.
Since the exercise hasn’t actually been planned yet, all this information is estimated, but at this point, you should have a pretty good idea of the actual costs and key participants. From this point, each company will follow its internal policy for requests. Use that method and allow for the time required to get approval.
Depending on your company structure and internal relationships, educating all the different participants in a language they can understand can help speed the process immensely. For example, if you’re talking to someone from legal, discuss how the exercise could reduce liability for the company or prevent costly data breaches that might require the company to offer credit monitoring or engage outside counsel.
If you’re talking to someone from the public relations team, discuss how the exercise could give them better insights into the types and timing of internal and external communications they’d need to prepare in the event of a security incident.
Cybersecurity does NOT work in a vacuum. Whether you’re concerned about ransomware attacks, malware, or any other cybersecurity threat, cyber exercises can play an important role in helping you assess how prepared your organization is for whatever may hit next. They can also help you meet regulatory requirements like HIPAA and prevent chaos and misunderstandings in the event of an actual data breach or another security incident.
An important component of cyber exercise design is determining who should be involved. You should consider employees from across the company. In addition to the required security and IT staff, be sure to include representatives from marketing, legal, human resources, and customer service. This is how you can truly benefit from cyber exercises.
Motorola Solutions offers a wide range of Advisory Services, including Cyber Exercises, to help organizations prepare for and prevent cyber attacks. Contact us for more information.