Preparing the Workforce for a Cyber Crisis — An Interactive Simulation

As security leaders continue to evolve their corporate defenses, even the best crisis response plans struggle to account for the human element. The performance of your technology might be a known quantity, but what about your human capabilities? 

Recently, the Toronto CISO Community had a virtual town hall featuring a realistic cyber crisis simulation to test and discuss how to make organization-wide decisions in a crisis. Jamie Knobles, Senior Manager of Solutions Consulting at Immersive Labs, led the simulation, and Toronto CISO Governing Body members Assaf Afek-Levy, CISO at GFL Environmental, and Nagesh Chawla, VP, Enterprise Technology and Cybersecurity at Foresters Financial, helped guide the discussion.

Jamie kicked off the discussion by noting that with threat actors continually changing, there are different paths executives might have to take to respond to crises. He encouraged CISOs to think about the threats, digital and operational impacts, and the cascading impacts in the context of their organizations. 

He set up the scenario for the executives to decide on the best paths to minimize the impact of a crisis. In this discussion, the simulated scenario was a hospital setting responding to a cyber incident in which critical systems are compromised, putting patient care and data security at risk. 

In the highly interactive session, executives debated and then voted on each step based on a list of possible responses.

• The first step highlighted the fact that employees in different roles might be responding to a crisis. In the scenario, an emergency room doctor was the first person who had to make a decision when the hospital’s patient management system was down.

Executives voted to deploy a manual work around and move to a paper-based system. One CISO noted that the healthcare setting was a factor in the response, while several pointed out that data collection and data privacy were at risk with a paper system. Another CISO said that there should be backup systems in place and an incident should trigger the implementation of the organization’s Business Continuity Plan (BCP).

• In the second step of the scenario, the IT and Security teams discover the hospital’s network has been compromised, and according to the hospital plan, the patient management system should be shut down. This prompted the CISOs in attendance to determine how executives should respond and who should be involved.

There was less consensus in the group on exactly who owns the decision, but the security executives agreed that this was a senior leadership decision. One said that “the BCP would have a cross-functional team of leaders working on this,” and another agreed that “the CIO or CISO would make the final call,” but there should be consensus across the team.

• Next, the scenario presents the impacts from the decision to shut down the patient management system and asks the CISOs to consider the best communication strategy.  They agreed that the organization should have a detailed crisis communications plan in place, and in this case, patient safety and data security should be the highest priorities.
• The scenario becomes increasingly complex when the hospital receives a ransom demand, threatening to publish patient records. The CISOs in the discussion agreed not to pay the ransom and were split between negotiating with the threat actor or simply not paying it. A few CISOs pointed out that negotiating buys you time to recover. One executive said, “Negotiation can give you more time to check the secondary backup, insurance and legal aspects.” 
• As the scenario continues, the executives are faced with data privacy issues stemming from the patient data being temporarily housed on paper and staff members using different devices and workarounds. Several CISOs mentioned that they would defer to Legal for the best way to handle possible privacy breaches.
• Finally, the scenario ends with the knowledge that there was threat intelligence that was not acted upon about the cyber attack on the hospital. Most CISOs felt that an investigation was in order into what happened in that response.
   

Key Takeaways from the Discussion

1. At the end of the day, it’s about preparedness. The CISOs who participated agreed that cyber crisis situations are chaotic and decision making under pressure is difficult. They felt this was the reason they document security processes, procedures and playbooks and then practice them through tabletops and other exercises. As one CISO cautioned about a crisis, “Never underestimate the potential for chaos.” 
2. Update BCP plans regularly. Security leaders also agreed that BCP plans should be refreshed annually as people, processes and technology change. One CISO noted that the BCP must be reviewed after any major project or change in order to ensure that it still works, and others believe that practicing is critical from both a technical and a leadership perspective. 
3. Factor in the recovery from a cyber attack. CISOs discussed the importance of understanding the big picture when it comes to the business impact of a cyber incident. One said that it is especially critical “when it comes to the recovery and the costs of recovery – have an end-to-end structure and test it.” Another shared that CISOs should “do regular testing on backup systems,” and leverage tabletop exercise to test their recovery systems.
4. Involve senior leadership and the Board. Security leaders believe that the response team – including senior leaders – needs to be well trained on the organization’s most valuable assets and key things to protect. They felt that practicing regularly would help individuals and the organization to build “muscle memory” when it comes to their critical responses.

Overall, CISOs were highly engaged in the session and shared their own experiences with incident response. They talked about the importance of operational resiliency, business continuity planning and testing and practicing with key stakeholders. As one CISO said, “No matter how much you document, the plans will never fit the scenario perfectly….  But practicing will help you adapt to the current situation.”

CISOs can continue the discussion on responding to cyber attacks and operational resilience at an upcoming Evanta community gathering. Evanta community members can sign in to MyEvanta to find events and register with one click. Or, executives may apply to join a community of CISO peers to stay fully up-to-date on key topics for security leaders.
 

by CISOs, for CISOs
 

Join the conversation with peers in your local CISO community.