phishing attack simulations and staff training programs), which results in low uptake, attempts to circumvent certain controls and eventually creates resistance amongst the broader workforce to help keep the process alive.
4. Top management, whilst aware of Information (including Cyber) Security risk and the need to comply with relevant regulatory requirements, doesn’t commit sufficient time to truly understand their own role in the process, palms it off as an ‘IT thing’, isn’t equipped with the skills to actively guide middle management and general staff and doesn’t commit sufficient resources to embed information security awareness across the organisation.
5. The CIRP is built as a large document, which is centrally managed by the CISO and other Security staff, not regularly maintained and impractical in real incidents because relevant content is difficult to find. Version control (if any) may be impeded by only one person being able to edit the latest version at a time. And when the IT systems are deactivated as a precaution, the CIRP document can’t be retrieved as it sits on a system that is now unavailable.
6. Cyber Incident Simulation Tests being timed inconveniently, repetitive, not including sufficient business context/relevance and/or having a ‘pass/fail’ flavour - causing participants to try to look good in front of bosses rather than trying to find areas of the plan that need improving.
.
I have observed organisations spending hundreds of thousands of dollars on consultants, only to find they still make these 6 mistakes. The resulting problems recur every few years when the documents are out of date.
Or sooner - and this is much worse - when a real-life breach occurs and the plan (and other controls) don’t work or nobody knows how to activate them.
Equipped with a short, sharp, dependable CIRP, your business will be in a far better position to respond confidently in an actual incident, protecting its brand and reputation, meeting its legal responsibilities, and ensuring the needs of its staff, clients and stakeholders are met. To achieve this, senior management needs to commit to information security management ‘all the way’.
1. A ‘cyber superhero’ team is established, consisting of CISO, IT (Security) as well as key business unit representatives, to assist in creating the response plan, engaging with staff across the organisation, planning/facilitating training and awareness programs and conducting rehearsals/tests.
2. Discussions and scenario-based discussions are held with external CIR providers prior to selecting any of them. Once realistic promises regarding their response times and capabilities have been agreed, these are then validated. Where gaps come to the surface, further collaborative work is done to align mutual expectations and promises – and related (standby/retainer and/or activation) fees. Providers are included in any plan walk-throughs and/or CIR exercises/tests, so they understand the internal mechanics of your organisation as well as key deliverables and roles relevant in an actual cyber incident.
3. Middle management and general staff are engaged in concise but highly interactive workshops, so they start engaging hands-on in the information security process and can assist with choosing preventative controls that their teams can actually implement and maintain. This could include a true ‘if you see something: