By Emilian Papadopoulos & Evan Sills at Good Harbor Security Risk Management
Every organisation faces distinct cyber risks. While many of these risks are mere nuisances, some can cause existential consequences. These are the risks leaders must worry about as they strive to build a cyber resilient organisation.
These risks are unique to each organisation, depending on its core business, governance, technologies, relationships, geography and any number of other factors. Posed as a question, executive teams and boards of directors must ask: “What makes my company tick?” and “What is the worst thing that could happen to disrupt my organisation in a material, existential way?”
To survive potentially existential attacks, leaders of governments, corporations and non-profits alike must overcome significant challenges. As threats evolve, they must appreciate how the threat landscape relates to their organisations and their critical assets and processes. They must implement policies and technologies that can keep up with these evolving threats. And they must assemble a team for rapid response to a cyber crisis, which is challenging because it requires collaboration among C-suite leaders and with forensic teams, law firms, public relations firms and security advisors that are retained individually but must work together.
To do these things, a cyber resilient organisation must develop a whole-of-enterprise strategy that combines technology, policies and business priorities and uses the skills of everyone in the organisation. In cyber resilient organisations, boards of directors are part of the risk tolerance discussion, helping leadership think about which risks should be avoided, mitigated and accepted.
Resilience is a concept that is increasingly acknowledged as a trait of the most sophisticated organisations. To be resilient over time, an organisation must accept that in the current cyberthreat environment, bad things will happen and consequences must be mitigated; to do this, particularly in the face of changing threats and attack techniques, organisations must adapt. The NIST Cybersecurity Framework, which has been adopted by many companies and state governments alike to manage cyber risk, calls the most advanced organisations ‘adaptive’. This means not that they are able to prevent every cyberattack, but that they can take their existing knowledge and readiness and apply it to a new situation quickly, before significant harm is caused.
To build such an organisation, C-suites can undertake a series of actions that will demonstrate the importance of cybersecurity within their organisation and prepare themselves for cyber incidents. This article will discuss key actions that leaders can take (and boards can oversee) that will help identify and mitigate worst-case scenarios and build resilient organisations.
Most leadership teams spend their cyber risk discussions asking good questions about programme implementation, compliance and best practices, but they often do not start with the solid foundation of a discussion about their company’s distinct risks and risk tolerance. As a result, they wrestle with a lack of clarity regarding the crown jewels that require prioritised protection within the organisation and resources do not get directed towards mitigating the greatest risks.
Beginning a risk discovery process that starts at the C-suite and involves the board is crucial to understanding the worst-case scenarios that should be the focus of attention and resources.
The process of discovering a company’s worst -case scenarios should involve participation from across the organisation. Every department should contribute to understanding the risks present in its activities. The company’s crown jewels may be its people (human resources) or intellectual property (research & development) and its worst-case scenarios may come from its supply chain (procurement) or lawsuits (legal) or reputational damage (communications). Further, involving every department in risk discovery will prime departments to help prepare and respond to incidents. Human resources must help build a cybersecurity culture. The general counsel must analyse insurance policies to ensure coverage of cyber incidents in GCL or cyber policies. These are just a few examples.
Part of ‘knowing thyself’ is ensuring that the right resources are available to support the organisation in the event of a cyber incident. In some cases, such as public relations firms and outside counsel, an existing provider may be sufficient if they also possess expert knowledge on crisis management and cybersecurity. In other cases, such as a forensics firm and expert advisors for the CEO and board, these groups may need to be retained specifically for the purpose of responding to cybersecurity incidents. Having these groups signed up with contract details sorted out in advance costs little and is essential to responding quickly to an incident and mitigating damage quickly. Planning ahead in this manner builds resilience by preparing an organisation for the day when a cyber incident occurs.
Put it on paper — carefully
Often the harm from a cyber incident comes not because of the hack itself but because the organisation cannot demonstrate that it had taken cybersecurity and its responsibility to protect data and systems seriously, calling into question the C-suite’s and board’s risk management and oversight. Appropriate documentation can reduce these risks.
Organisations dread lengthy, detailed policies that sit on the shelf, collecting dust – and rightly so. However, careful documentation of risk management processes and decisions and of IT security policies, training and technologies helps mitigate the legal and reputational consequences of an incident.
Documentation should be iterative and updated frequently and should cover a range of topics: the risk discovery and identification process, including information gathered and decisions made; documentation owned by IT, such as processes for change management (i.e. documenting and approving changes to hardware and software), inventory lists and defensive technology plans; and, documentation owned or shared by other departments, whether IT security policies for employees decisions about cyber insurance policies, IT security requirements for vendors and more.
A dynamic understanding and documentation of these topics fosters a sophisticated understanding of the organisation’s risk profile and risk management and it also involves many executives and employees, helping to create a cybersecurity culture that makes the organisation more resilient.
Further, compiling this information will make it easier to respond to information requests from auditors, regulators, customers and clients. As third-party risk management, supply chain risk management and regulatory oversight become more invasive, organisations spend increasing amounts of time answering document and data requests regarding the security of their systems and networks. This creates the risk of ‘death by audit’ and having this information readily available can speed up the process of response. Responding to external requests also risks distracting an organisation, leading it to focus on compliance with regulators or customers rather than managing its own risks and this makes it less resilient in the face of its distinct worst-case scenarios. Getting third-party responses under control allows organisations to focus on their own risks and resilience. Of course, documentation also creates risks, so it should be done carefully and in coordination with counsel.
Practise, practise, practise
No leadership team wants their first cyber crisis to be a real one, with real consequences on the line. Instead, they should conduct exercises and simulations, just like militaries, and the most sophisticated companies do, to strengthen the organisation’s response muscles, identify areas of tension and familiarise individuals with their roles and responsibilities.
“To be resilient over time, an organisation must accept that in the current cyberthreat environment, bad things will happen and consequences must be mitigated”
Before actually running exercises, careful preparation is required. Ideally, the organisation will first develop incident response plans that are tailored to its identified worst-case scenarios, including details on resources, who to notify about certain incidents and how to escalate different situations. The plan may not address every possible scenario, but resilient organisations are able to adapt existing plans to new situations.
Exercises should closely resemble an actual crisis, particularly in terms of who is participating. If the CEO is going to be involved in a real crisis, which is likely if it is a worst-case scenario, she should be involved in the simulation. If the organisation retained a forensics firm to respond to a real incident, a representative from the forensics firm should participate. Similarly for an executive table-top exercise, if members of the C-suite are going to have external advisors, they should be available to give advice.
Exercises are also an opportunity to identify and clarify the role the board of directors may play during a cyber incident. During incidents, directors are understandably concerned and desirous of updates, but they should not interfere or distract leaders from executing their response. Identifying a single director to liaise with the executive team, particularly if the person has some technology experience, can smooth communication lines and reduce unnecessary stress during a crisis.
Exercises should conclude with a ‘hotwash’ debrief right after the exercise and after-action reports that draw out lessons learned and help track improvements, fostering the continuous improvement that makes an organisation resilient long-term.
Organisations can also learn from real incidents, not just simulations. Many cyber incidents are minor and cause no damage but can still be valuable learning tools, as large incidents can be. Organisations should debrief and harness lessons learned from minor as well as significant incidents.
Don’t do it alone
Resilient organisations constantly learn and benefit from the experiences and resources of other organisations and incorporating that knowledge into their cyber incident response capabilities. From small, internal incidents to big, public data breaches in unrelated industries, there are many lessons to be learned. Executive teams and boards can educate themselves in two primary ways.
Organisations can learn about their own risks and possible incidents from their ecosystem, peers and even incidents in unrelated industries. Many board directors first become involved in cybersecurity because they see a large breach reported on the cover of the Wall Street Journal and ask “Could this happen to us?” The experiences of other organisations, both in terms of their responses as well as the tactics being used by attackers, are valuable information that organisational leaders should be using.
“Many cyber incidents are minor and cause no damage but can still be valuable learning tools, as large incidents can be”
Organisations can also benefit from their ecosystem, including third parties, suppliers, customers and peers, as well as cybersecurity experts who benefit from constant learning across industries. Industries as a whole are considering how cyberattacks could affect individual members and how shared suppliers can introduce threats to everyone. One way to manage these risks more efficiently and cohesively is to take them on at an industry level. Through Information Sharing and Analysis Centers (ISACs), trade associations, or other industry groups, it is possible to develop action plans, distribute best practices and build resilience throughout the industry in dealing with the potentially catastrophic effects of cyberattacks.
Resilient organisations are not invincible and they do not necessarily spend more on cybersecurity than other organisations. They can withstand cyber incidents because they apply risk management principles and continuous improvement to understanding their most significant risks and mitigating them.
They understand themselves, including the threat environment around them and their worst-case scenario risks, as well as what resources they have to mitigate risk. They engage leaders to think about technology and how it is transforming their organisation. They treat cyber risk like other risks and incorporate it into risk management practices at the board, C-suite and employee levels. They document appropriately to tell a good story about their approach to securing themselves and making their organisation resilient.
They constantly learn from themselves and from peers, partners and even unrelated organisations in other industries. Most consult with and retain external experts who deal with cyber incidents at other organisations frequently, so that when the incident happens to their organisation, or preferably before it happens, they benefit from perspective and insights on ever-changing threats and situations.
Finally, they prepare for the worst, planning to recover from cyber crises and practicing how to do so. They have drafted and tested incident response plans at the department, enterprise-wide and industry levels to best understand and mitigate consequences that may stem from a cyber incident.
Resilient organisations don’t avoid incidents 100 per cent of the time; they learn to live through them.
About the Authors:
Emilian is President and Evan is an Associate, Good Harbor Security Risk Management. Good Harbor Security Risk Management, LLC works with senior corporate executives, investment professionals, and government leaders to assess and develop strategic cybersecurity programs that mitigate organizational risk in the face of advanced cyber threats.