Exercising Security in the C-Suite
Information security professionals know that when it comes to breaches, it is not a matter of “if” but “when”. This has been a common expression communicated to executive leaders in hopes of helping them understand how crucial information security is to their organization. If this is not enough to scare them, recent breaches, such as the Target, Yahoo, and Sony breaches, are a clear-cut example of how security is now becoming the responsibility of company executives such as the CEO and CIO. While information security has been more openly discussed in the C-Suite, a study conducted by KPMG for Q1–2017 indicates that 72 percent of CEOs do not feel prepared to deal with a cyber-attack on their organization. This number clearly validates a large gap between knowing about information security and managing it. At the end of the day, executives will not be prepared for defending against or managing a breach until they exercise their ability to handle it; this is why including leadership in cyber exercises is so important to an organization.
Table Top Exercises and Others
Much like a fire drill, many businesses utilize exercises or security scenarios to prepare and protect against potential incidents. These exercises range from interactive settings responding to penetration test attempts to test the response of the IT and Security teams, to simple table top exercises where teams within the organization work together to walk through potential scenarios associated with security breaches. Exercises can also be controlled, where all team members are aware that it is an exercise, while other exercises are unknown, in order to test the team’s true response to a potential incident. While the executive team does not necessarily need to be involved in the technical reactions to an incident, they should be responsible for high-level management and response. This can be accomplished through simple Table Top Exercises, where the C-Suite is provided with scenarios which require their action and attention.
Getting the boardroom involved is the first step in their preparation for handling a cyber-attack; the next is a successful plan for the executive team. Below are some best practices to ensure a successful exercise for the C-Suite:
Identify Critical Information Systems which would cause the most damage if breached. Since we already know it’s a matter of “when” and not “if”, it is important to identify your most critical assets based on your business structure and offerings. It is essential that the C-Suite understand the areas which require the greatest amount of urgency if breached in order to exercise the appropriate response.
Maintain broad, realistic scenarios. Since executives will not be directly mitigating the incident, it is best to keep scenarios broad and as realistic as possible. This will allow you to run through various potential risk types in a shorter period since many incidents will elicit the same response from the executive team. Some examples may include system degradation due to natural disasters, insider threats, physical breaches, and mass data leakage due to an Advanced Persistent Threat. The broader scenarios will also allow executives to approach the issues through analytic thinking as opposed to elicited responses.
Prepare the executive team before the exercise. Given the statistic of CEOs who do not believe they are prepared to deal with a cyber-attack, most executive teams will likely not have the proper knowledge to respond to the exercises. Therefore, preparation is crucial. Educating executives on appropriate actions to take, questions to ask, and Key Performance Indicators to asses for different scenarios prior to the exercise will provide them with the opportunity to react more appropriately during the exercise, while still thinking critically. It will also help to make the exercise less daunting to the C-Suite.
Be ready to address the knowledge gaps. Once the exercise is over, there should be a clear representation of the abilities of your executive team to respond to a security incident; however, identifying the disparities is not enough. Results of the executive team’s ability to properly respond to the exercise should be reported and mitigated through additional training and revalidation. This training and education can be conducted by the internal security team, if they are equipped to do it, or by a training service provider.
Talk Is Cheap
The initiative to discuss the importance of cyber security in the boardroom is a great start to getting executives involved and educated on their roles and responsibilities; unfortunately, it’s still not enough. As information security professionals, we must continue to advocate and support active participation and involvement in security exercises by all C-Suite members to ensure the safety and security of our businesses.
How do you get your executives involved?