Incident Response has always been cybersecurity’s most perilous high-wire act – one that requires the dextrous handling of every operational asset of ‘people, processes and technology’ to be truly effective.
Frontline security teams working to proactively manage incidents increasingly do so against a backdrop of highly unpredictable adversaries, budgetary constraints and spiralling technological change.
The ‘never normal’ state of today’s business world, coupled with the frontier nature of much of cyber risk, further compounds the already considerable challenges of breach preparation and response.
Add in the fact that more and more businesses exist within highly interconnected ecosystems – making it difficult to control interdependency risks – and it’s even more vital that organisations shore up their resiliencies with a systematic approach to handling and resolving security incidents.
Yet, despite all the complexities, IR is essentially still about managing risk. At its core: actionable threat intelligence, effective processes, and understanding people.
Cyber Security Service specialists Bridewell gathered twenty of the UK’s leading female Security specialists, in a confidential setting, to ask their challenges and lessons learned in fielding powerful IR. This is how they achieved buy-in from their boards, how they ensure their organisation is prepared to respond and recover from a breach, and how they are adapting to today’s technology landscape.
Gaining the Trust and Support of the Board for Investing in Incident Response
“Incident Response is a really complex topic – and execs and board don’t necessarily understand it. It’s a terribly frightening thing for a senior board member to admit they don’t know what you’re talking about; that’s exposing their vulnerabilities. So talk to every member of the board and help to take them to understand. Take them from where they are, to where they need to be.”
“Show the board evidence. Using threat intelligence shows that the plausibility is there. But it has to be contextual to your business – it has to matter to them. And get to know board members as people, build a relationship with them. Earn their trust – because the moment you own that trust, they will give you money because they trust where you’re coming from.”
“The big problem is where you’re identifying new risks that haven’t been identified before – and you’re effectively calling the CTO’s baby ugly. And it’s difficult to find the narrative which enabled us to justify why we were now reporting ‘red’ – when previously we’d reported ‘green’. You have to explain why the change has happened.”
Despite recent high-profile attacks bringing widespread attention to the critical importance of cyber resilience, security specialists continue to encounter challenges in achieving buy-in from the board – particularly in tightening economic circumstances.
Earning the trust of your board is crucial if they are to allocate substantial resources to boosting Incident Response. Security specialists should be aware that executives and board members may not fully understand complex cyber issues – and so should endeavour to help them, but using clear and concise language that’s tangible and is business-impacting and benefitting.
Conducting board-level IR exercises and simulations can help bring to life the challenges facing InfoSec teams, and the tough decisions executives would have to make if a disruptive cyber incident such as a ransomware event really did occur.
And by commissioning threat intelligence reports and security assessments, CISOs are better able to rank risks in order of priority – and go to the board armed with substantive evidence of specific areas of weakness.
By focusing on tangible impact – and demonstrating the manifestation of those impacts on the company – security leaders have considerably more firepower to ask for investment, especially when they are highlighting new risks.
Lastly, CISOs must ensure their board presentations end with a considered action plan, rather than just warning of potential catastrophe and neglecting to show a way forward.
Challenges in Ensuring Your Organisation is Prepared to Respond and Recover From a Breach
“Managing motivation and human resilience is crucial. Following SolarWinds and Log4j my organisation was in constant panic mode; teams would call Incident Response over anything. The NCSC would have a tiny report on their website and people would say ‘Incident! Incident! – when we don’t even use the affected software. The danger was, what would happen if a real incident comes in when you have alert fatigue?”
“I’m blessed to be in a company that lives by playbooks because of the nature of what it does. When an incident happens, I do not advocate panic – because it unsettles everybody and you lose trust quickly. And your ability to manage the event is what matters to everybody. By staying calm, you meet everybody’s needs.”
“There’s a culture difference between organisations who are used to having crises. When you go into an organisation that hasn’t had a problem for a year or two, they’ve lost the muscle memory of how to respond. So when you DO have one you find yourself, as a CISO, like I did on Boxing Day – with everybody telling me they’re not on call. Whereas in an organisation that is used to problems, you’d never have that.”
Every organisation has a unique set of critical functions; they have different objectives, focus on different markets and attract different cybercriminal groups. Testing these critical controls and frameworks, through resilience exercises and simulations, is vital to achieve a cohesive IR plan and build standardised processes.
As is so often the case in cybersecurity, organisational culture is key for cyber resilience.
Businesses with a strong security culture – who understand their challenges, take remediation seriously and have clear IR playbooks – are much better placed to withstand breaches, along with enterprises who maintain muscle memory from weathering previous crises.
Further cultural distinctions – such as the turnover rate of staff, working regulations, highly distributed workforces or companies with vast DevOps teams – also impact IR approach and readiness.
And then there’s the importance of supporting staff in an industry where burnout is commonplace. Frontline human assets are the cornerstone of IR, so considering their needs (such as how to feed and sustain a team that is working around the clock to contain an incident) should be part of any IR preparation.
During an incident – and in times of highly publicised vulnerabilities and attacks – avoid panic at all costs. Properly tiering events is crucial and – should an incident occur – the importance of a read-across, to ensure an incident in one area of an organisation hasn’t also impacted other areas, should not be neglected.
Preparing for the New Technology Landscape
“What I found across my organisation was the lack of understanding and the false assumptions of what was available from some Public Cloud providers in the event of an incident in their environment. They don’t have any access to your environment – and, although you think people are aware of the shared security model – many don’t put two and two together. So my biggest learning is being absolutely clear of what your cloud provider will do in the event of an incident – and the answer is zero. Absolutely zero.”
“Our main system is still on prem – although we’ve got periphery systems on the cloud. But we don’t have the same version of controls on the cloud as we have on prem of the controls that we’re used to having on prem. And a lot of responsibility for cloud controls has moved to the tech teams – and they’re struggling to understand what rules or controls they need to apply – which is leaving doors for a potential incident wide open.”
With accelerated deployments of hybrid and multi-cloud environments – of multiple SaaS, IaaS and PaaS providers and convoluted digital supply chains – most companies’ attack surfaces have proliferated beyond comprehension.
Understanding your exposure and risk prioritisation in a world of cloud sprawl, and shared responsibility models, is paramount.
Amid a rise of breaches – with adversaries preying on organisations’ complex infrastructures and lack of cloud security expertise – IR teams must strive to upskill, with resources invested in both getting to grips with the new technology landscape and in seeking external expertise and surge resources, if needed.
“The cyber threat landscape has changed and increased at such a rapid rate, that many of the approaches that worked for the past years now need to be uplifted and adapted,” says Emma Leith, Director of Consulting at Bridewell.
“The more the top level of organisations are fully briefed and practised on effective response to cyber security incidents the better.”
“Cyber Security always works better when we collaborate and embed the importance of security across the organisation. Starting from the Board.”