In today’s digitally reliant business world, the collaboration between technical experts and executives enables a shared understanding for secure, compliant and resilient organizations in an age of ever-changing risk and connectivity. This is a co-authored article written by Jackie Berkowitz from our Crisis and Resilience Team and Steve Sacks from our Cyber and Digital Team.
Executive Summary
Organizations are facing a complex cyber threat environment that is increasingly impacting business operations and resiliency. Cybersecurity incidents such as ransomware, business email compromises, and spear phishing can have wide-reaching impacts on organizations’ operations and bottom line. We see too often clients struggling to recover from damaging operational impacts from a technical decision made without an understanding of the business implications during a crisis event.
Developing a common understanding of these risks between responders and business leaders is critical to enabling efficient and effective crisis response and recovery. This understanding facilitates more efficient recovery through proactive information sharing between responders and executives working together to manage the crisis at both the operational and strategic levels. Exercising these teams through a multi-tiered approach provides the organization an opportunity to rehearse this collaboration before a real-life incident. Without an integrated approach, companies risk engaging in a disjointed response that fails to leverage expertise and capabilities across the organization. Not only does this impact the tactical response, but the failure to communicate could cause significant damage to an organization.
What is bringing business leaders to the cyber security table
Businesses increasingly rely on information and technology to drive competitive advantage, execute corporate strategy, and enable timely decision-making. Information helps identify opportunities for growth and expansion, while concurrently illuminating inherent risks across the organization. Vulnerabilities impacting the processing of that information can lead to loss of market edge, ill-informed decisions, and missed business opportunities. Technology enables organizations to realize the benefits of information through collaboration and connection between teams, people and systems.
The confluence of information and technology is a critical driver of business operations. Companies leverage technology to collect, analyze, disseminate, and store the information that forms the foundation of the execution of critical tasks and activities that keep the organization running. The role of cyber security is the protection of this information to facilitate secure and compliant business operations. As companies continue along their digital transformation journeys, cyber security is playing an even larger role in risk management to maintain operational resilience within respective threat landscapes.
Additionally, regulatory trends such as those indicated by policies from the Cybersecurity and Infrastructure Security Agency (CISA), The European Union Agency for Cybersecurity (ENISA) and the Cyberspace Administration of China (CAC) are driving increased accountability for Boards and corporate executives for the risk exposure of companies they oversee and manage. These policies often mandate specific practices and controls and require disclosure of cyber security plans and policies. Both are driving leaders to take a more active role in their organization’s cyber security. This is rapidly compelling greater oversight and management by executives and Boards to ensure alignment between technical and business priorities.
The role of exercising in cyber crisis management
Table-top exercises serve as one of the most common venues for bringing together an organization’s leadership with cyber specialists. These engagements provide opportunities for organizational crisis management teams to rehearse response processes and decision-making in a safe and controlled environment to build readiness across the team, while also providing a venue for executives to provide insight into business priorities and strategy that impact technical operations. As regulations compel Boards to take a more active role in the oversight of cyber security strategies, exercises serve to validate crisis team competencies and identify deficiencies that require additional resource investment.
Exercises highlight critical response plan decision points, each driven by a decision authority and their information needs to ensure those choices are as informed as possible. Structured discussions and rehearsals support the identification of the information needed by decision-makers before a crisis hits. These steps enable faster recovery times as technical teams can proactively push information to executives who provide guidance on business priorities, resource availability and overall business impact for the incident.
Finding this article useful?
Taking a multi-tiered approach to cyber exercising
An effective method for addressing this crucial relationship is taking a multi-tiered approach to crisis management exercising. This approach brings together both business and technical leaders as they work together to prepare for and respond to a cyber-related crisis. This involves testing an incident scenario with technical responders, followed by an exercise with executive crisis management team. Lessons learned from the initial exercise subsequently feeds input to the executive level event, increasing realism and cross-team understanding of technical capabilities and capacities throughout a cyber crisis.
The first exercise focuses on the response and recovery processes of the organization’s cyber security and information technology teams. These individuals serve as the business’ first responders to a technology incident and are often the first to recognize operational anomalies as indicators of something wrong. These teams are the best positioned to determine realistic timeframes for the identification of an incident and escalation of critical details to executive leadership, as well as resource requirements to initiate and maintain an effective incident management process to ideally contain and eradicate the threat.
Identifying the technical activities that impact executive-level decision-making processes is a critical aspect of an integrated approach to organizational crisis management. Incident management timelines and resources codified as a part of the technical response exercise then directly inform the follow-on executive crisis management exercise. The technical exercise narrative informs executives of how an incident is identified, assessed, and escalated to the leadership, setting the stage for the initiation of the executive level exercise. Team stakeholders are provided with an opportunity to discuss what technical details inform their respective decision areas, such as communication, legal, privacy, and security. Collaboration between technical experts and executives enables a shared understanding of the incident within the business context leading to better-informed decisions at both levels of the organization.
From exercise to implementation
Following the exercise series, businesses need to capture this shared understanding in their plans and policies. This allows for the common perspective amongst exercise participants to be mirrored in the organization’s approach to business continuity, cyber security, and disaster recovery plans and policies. Lessons learned from the exercises can quickly drive document revisions to reflect areas for improvement identified during the discussions. Formalizing these processes facilitates a common perspective for all members of the crisis management team and their technical counterparts, while also ensuring that alternates and backups are armed with the same information as their respective primaries.
This multi-tiered approach to exercising should also inform an integrated approach to crisis management as a whole. There are three primary levels to organizational response structure: strategic, tactical and operational. At the strategic level, executives are responsible for focusing on strategic issues that impact the organization’s core objectives. They set response and recovery priorities and guide the tactical and operational teams. At the operational level, leaders of business units are responsible for assessing, managing, and coordinating the continuity of their respective processes in the medium and short term. And at the tactical level, teams handle the immediate effects of an incident, primarily focused on the continuity of activities that contribute to the processes that deliver the prioritized products/services of the organization. Ensuring the effective orchestration of these efforts enables an effective crisis management ecosystem that results in optimized business operational resilience.
We can help
The Control Risks combined team of cyber security and crisis management/business continuity professionals recognizes that crises do not occur in silos. A cross-cutting approach to response and recovery is the best way to get organizations back on their feet following an incident as quickly as possible. Preparing and training crisis management teams with the right tools before an incident enables organizations to be more confident in their crisis management capabilities, enabling leaders to take more business risks that realize opportunities throughout their operating environment.
Have a question about resiliency, security, or business continuity for your organization? Email our team at [email protected].