“The idea here is to tie together security, IT, and business insights as the team looks at the technical evidence in front of them,” during an actual incident, Montenegro says.
2. Define what a crisis would look like and create playbooks
Not all security incidents cause an enterprise-level crisis, and not all crises are cyber-related. Natural disasters, product recalls, accidents, and public relations debacles are all examples of non-cyber events that could have a significant negative impact on an organization. So, in preparing a new cybersecurity team for a crisis, it is important to define and rank–first, by severity and then by likelihood–what precisely the business would define as a security “crisis,” says John Pescatore director of emerging security trends at the SANS Institute.
“It is not the case that the top of the list will always be something like ransomware,” Pescatore says. Sometimes, a crisis might have nothing to do with cybersecurity, he notes. “For example, I remember hearing a Boston-area hospital CIO talk about how they were bombarded with attempts to get into hospital data after the [Boston Marathon] bombing because press reports had noted the bombers went to that hospital.”
Once the cybersecurity team has an understanding of what would constitute a security crisis for the company, create playbooks for the top handful of them. The playbooks should have defined roles for who does what and when. Consider doing an internal tabletop exercise at the next cybersecurity team meeting. “From there you can usually modify one of the first handful of playbooks–or sections with a playbook–for less common crises,” Pescatore says. “From there you can find many guidelines and courses on incident response processes and best practices.” Pescatore points to the Forum of Incident Response Security Teams as a good source for free resources, as well as resources that are only available to members.
3. Create an incident response plan
Preparing a team of new cybersecurity professionals for a crisis means developing an incident response plan for them for responding to and mitigating any security incident that might trigger an enterprise-level crisis. Unlike a crisis management plan, which takes a high-level, strategic approach to decision-making and management during a crisis, an incident response plan is more of a tactical document that provides step-by-step guide for mitigating an incident. Such plans often provide detailed technical instructions, workflows and tools for identifying, containing, eradicating and recovering from a security incident.
While there often can be an overlap between a crisis management plan and an incident response plan, the latter tends to get much more into the weeds, says Christopher Hallenbeck, CISO, Americas at Tanium. In developing the plan, make sure the cybersecurity team can assess if the incident significantly impacted operations, resulted in data loss or exposure, and whether they need external help to investigate and recover.
