cyber exercises to improve incident response

Q & A: How Can Companies Use Cyber Exercises to Improve Incident Response?

Stephanie Ewing-Ottmers (otherwise known as SEO) is a Senior Associate at Delta Risk LLC. She is a CISSP with more than 15 years of experience in information technology and information security leadership. She also led our webinar presentation in July on how security teams can use cyber exercises to assess and improve their breach readiness.

In-between the webinar, attending BlackHat, her work with clients, and all of the other running around (as a marathon runner, she’s used to running), she took a few minutes to answer some pressing questions we had about the current state of incident response.

Dev: Is incident response planning top-of-mind for the organizations you work with? How are they prioritizing it?

SEO: I regularly have the chance to speak with technical and executive-level professionals in different organizations regarding their cyber security incident response plans, and it’s certainly important to them. Executives in particular don’t always feel like they are ready to face a breach. Even though there is an effort to put a plan on paper, I’m always curious to find out if they put their plans to the test, and which methods they use for practicing those plans.

Dev: It seems like security and risk management professionals believe that table top exercises can be valuable but are they conducting them often enough?

SEO: When I ask people how they test their cyber security incident response plans, many mention a table top they recently conducted, which usually took place within 12-24 months. This is a big improvement from 10 years ago when few knew what a cyber security table top exercise was. But when I ask them if they have additional exercise activities planned, they’re usually non-committal.

The one-and-done exercise approach is not nearly as effective as consistent exercising, training, and evaluation. Teams get better the more they practice.

Dev: Why aren’t companies able to build out additional exercise programs?

SEO: Due to budget constraints and overall lack of resources, many organizations are still very unstructured when it comes to implementing exercises as part of their overall training structure. I recommend everyone take a look at their current strategy and spend time building out a multi-year program with measurable objectives.

Dev: What are the most common issues with hosting an effective table top exercise?

SEO: Participation and the documentation of outcomes can be inconsistent at times. If you don’t have the right people in the room, there can be more questions than answers in the discussion. And if you don’t adequately document the lessons learned and gaps identified in the discussion, follow-up improvements are less likely to occur.

This happens for a variety of reasons including inadequate sponsorship, insufficient planning, poor coordination, and lack of clarity of roles. When it comes to defining roles, folks outside of the security team may not be aware of their exact responsibilities for incident response or if they are even involved at all.

Dev: How often do you run exercise scenarios based on recent breach events that are in the news?

SEO: Many companies I’ve worked with want to play scenarios that they have seen in the media, particularly events that have happened to their competitors. I believe it’s a great approach and highly encourage it. However, I also recommend ensuring that each scenario still aligns to specific business objectives that will ultimately improve response actions. Don’t get caught up in the latest news story and forget to cover the fundamentals and essential processes in your plan. It’s also hard to practice for every possible scenario.

Dev: When comparing exercise types—table top discussions to more technical, full-scale exercises—which exercises are companies practicing more often to gauge incident response capabilities?

SEO: Few are doing true hands-on tests of their response capabilities. Discussion-based table tops are just that – discussions. At the end of the day, we need to turn those discussions into actions. You need to get your teams in the trenches to improve cyber security incident response performance. The problem is too many tools and processes sit on the shelf until a live event. It’s important to put tools and processes to the test in advance to ensure they will work as expected.

To gain an even deeper understanding of best practices for cyber security exercise programs, you can view a recording of our July webinar, “Can Your Security Team Handle a Breach? How to Use Cyber Exercises to Find Out.”

This 45-minute webinar covers:

  • Who can benefit from cyber exercises;
  • When to conduct cyber exercises;
  • How to demonstrate the value of cyber exercises to internal stakeholders; and
  • How to measure your readiness to react to and handle cyber incidents.