Incident management, today is an integral part of security operations in any mature organization. Most organizations believe that they have implemented fairly decent* processes to handle cyber incidents.
The question, therefore, is why they then fail pretty miserably when faced with a cyber crisis. The answer is essentially pretty simple, a crisis is not the same as a high priority incident. This simple fact sometimes escapes the scrutiny of the planners.
A crisis (in general) occurs as a result of many unfolding events. These events test the organization’s limits in handling the events both in capability (or skills) and capacity. This series of events results in an uncertainty of available information which in turn impacts the decision makers ability to efficiently respond to these unfolding events. Unreliable information also makes it increasingly difficult to engage with the stakeholders and contain the situation.
For the purpose of this article, let us assume that a cyber crisis is simply a crisis with a cyber characteristic, although this view is contested by many.
Preparation for handling a cyber crisis, therefore, requires planning and decision-making at a strategic level. Here are a few building blocks which we need to consider:
- Escalation Process- Cyber crisis starts as regular incidents and acquires the characteristics of a cyber crisis as it unfolds. It is, therefore, crucial for organizations to be able to take the decision to escalate if the incidents have the potential to test the organizational capability (or capacity) to resolve them. Often the security operations team or the incident response team are too focused on details and may miss the larger picture. This must be addressed through cyber drills and establishing formal escalation mechanisms.
- Partnerships to augment capability / capacity- Organizations must identify and put in place partnerships to augment the capacity and capability of their incident response teams when required. These partnerships could even include the engagement with LEA and local CERTS.
- Cyber Crisis Management Team- The organization must identify a cross domain team which is capable of handling the Cyber Crisis and acts on behalf of the board and other senior executives of the organization. This team should also be able to translate the technical nuances (of the cyber crisis) to a business language and present the same to the board and senior executives of the organization for decision or guidance.
Secure and Robust Communication Channel- It is likely that the cyber crisis would also impact the organization's regular communication channels e.g. email. It is essential that the organization has at hand a mechanism to communicate with all relevant stakeholders over a secure and robust communication channel to coordinate the effort required to contain or mitigate the crisis. Infrastructure investments like war rooms could be considered to act as the nodal p
lace for crisis management.
- Executive Buy-in- Last but not the least, the board and senior executives must be functionally integrated into the organization’s cyber crisis management plan. It is crucial that the stakeholders see them (or perceive them) be on top of things as they unfold. The media interactions if any, also play an important part of crisis management.
It is certain that all organizations will experience cyber incidents, it is also possible that some of these incidents could threaten the organization’s ability to conduct its business. It is at that point careful investments made in preparing the organization's cyber crisis management capability would help organizations conduct their business during a cyber crisis, therefore achieving a state of Cyber Resilience.