Key lessons learned in 2023 from Global Cybersecurity tabletop exercises
Having worked with some of the world’s most mature clients and experienced real and simulated cyber crises, I am often asked what the key lessons learned are. Below I outline the most common challenges, allies and elements that clients around the world underestimate.
CHALLENGES: Time and perfection
Quoting one of the most respected CISOs in the world, Equifax CISO Jamil Farshchi: “Time and perfection will eventually crush you.” Clients don’t realize how quickly a crisis can escalate to the point of losing control of the situation. That’s why cybersecurity requires a complete business response. Second, stakeholders will demand all the information immediately to think they can make perfect decisions and solutions. They will never have enough time for perfection. I tell my clients that they have to be comfortable with a lack of information during a crisis. Factor that into your leadership strategy.
ALLIES: Communications & Options & Preparation
The most repeated comment after a crisis or drill was how critical the role of communications was. Companies that communicate a daily “North Star” of current priorities are the most successful. Build your incident response plans, business continuity plans, and other solutions with flexibility in mind – to quote Jamil Farshchi again “optionality… Be comfortable pivoting or adapting them as you learn more and things progress.” Another key lesson was understanding how much can be done in advance versus what can be done during a crisis. Bringing all of these allies together is why you create a security culture focused on continuous cyber readiness.
UNDERESTIMATION: Deeper level details, authorization and human factor
In most IR, BCM, etc. documents, clients have a certain level of detail. But they underestimate the need for more detail – one or two layers deeper – during a crisis. For example, the need to communicate to employees during the crisis on an out-of-band 2024 platform when laptops are encrypted. Who has the most recent contact list? When was it last updated? Where is that list stored and is it also encrypted? Understanding someone’s roles and responsibilities is critical, but what is most critical is the deepest layer – who is “authorized” to perform significant actions. For example, you need to clearly define who can take down a server, talk to the media, and explain to customers. Finally, one of the most overlooked aspects of a crisis is the human factor. The first few hours of a crisis are when the most mistakes are made due to increased stress. Your team will need to sleep, eat, and go home to their families. Be prepared for that.
Sygnia focused on four main areas during the 2023 cybersecurity exercises:
- The first was preparing for the SEC’s new cybersecurity reporting requirements, with an emphasis on determining the “materiality” of the incident. Who is authorized to make the determination and who is responsible for disclosure to the SEC. What makes this challenging are the competing legal, financial and operational viewpoints that collide while attempting to provide some level of investor confidence and accountability.
- Second, new cybersecurity crisis manuals and guides are put through their paces and immersed in a custom simulation exercise. Most of the client’s maturity shows their continued cybersecurity readiness strategy by updating their documentation and subjecting it to live-fire simulations.
- Third, a greater understanding of the roles and responsibilities of multiple stakeholders, especially when the management team includes new executives who have never done an exercise together. A big part of the foundation is building trust and understanding among the new executives and making them feel like they have a seat at the table.
- Finally, validation of the client’s current posture and strategy, followed by an understanding of how they compare to their peers and what the key gaps are that need to be addressed. More mature clients not only run simulation exercises with internal stakeholders, but also include their key business partners. In other words, they compare one book of operations to another to ensure that their processes, scaling, authority, and strategy are aligned.
Building a Team Executive Perspective: The Role of the Security CISO
The role of the CISO has been evolving over the years as cybersecurity has become more prominent for organizations as they seek to become more competitive and efficient. Navigating cybersecurity challenges through digitalization and cloud adoption and innovating with emerging technologies are just a few of the business drivers that CISOs and their security teams bring their expertise to. Today’s CISO must be able to rally support for their security program and effectively drive the security culture within their organization as they move closer in reporting to the C-level executive management team.
Cyber risks are becoming more disruptive and costly. Senior management and the board are taking the need to protect the organisation seriously, especially as legislation is penalising them for negligence. CISOs will need to ensure that cybersecurity is sufficiently discussed and factored into the decision-making process at the C-suite and board level, where their guidance is relied upon to effectively influence security culture. Next, it is important for the CISO to justify their budgetary spend, through an effective security programme that supports maximum business growth and protects the bottom line.
Developing an effective cybersecurity program often faces the challenge of creating the right organizational structure for a security team. When cybersecurity is aligned with the business, building a security team requires considering the security strategy, technologies, and goals to support the security program. The security strategy determines how the organization will protect and defend against cyberattacks and position security services to meet the needs of the business. Technologies define the skill sets and training required to properly deploy and adopt secure systems. And goals enable security leaders to align their internal teams to maintain business operations and defend against cyberattacks.
Building a security team is critical to aligning business needs with the C-Suite and board of directors. The role of the CISO is critical to influencing changes in security culture across the organization through executive awareness and training. Building a resilient security team involves a combination of strategic planning, talent acquisition, and ongoing training. Organizations will need to begin building their security teams to support their cybersecurity program with a well-defined structure that ensures team members understand their specific contributions to the overall cybersecurity program and look for people with problem-solving skills who understand emerging threats. Cybersecurity remains a dynamic field, so training and skills development are essential to staying ahead of the evolving threat landscape and maximizing the 2024 benefits of investing in cutting-edge technologies. Security teams must foster a culture of collaboration to ensure resilience across the organization with IT operations, development teams, and enterprise architects. With higher levels of collaboration across the organization, it will be easier to instill a cybersecurity culture and promote security awareness.
Prioritize the security budget
Cybersecurity increasingly functions as a business driver in today’s organizations. However, budgets remain a concern and during an economic downturn are often candidates for cuts. C-suites and boards that are hampered by a lack of understanding of the cybersecurity program may be more concerned with compliance than security best practices. CISOs must justify the security budget and position their program as a business driver rather than a cost center.
Security teams must be able to take a cyber risk approach that is relevant to the threats in their environment, address regulatory requirements, and minimize negative business impact. Security posture should be continually assessed and monitored against security industry best practices and relevant threats to establish a clear understanding of the cyber risks that need to be addressed. Cyber assessments should address business risks as they are prioritized to protect and maximize organizational outcomes with a clearly defined roadmap that addresses cyber risks.
As cyberattacks increase and security budgets are cut, organizations must focus more on prevention and detection capabilities to maintain their security posture. Prevention reduces the chances of threat actors infiltrating and moving through the organization by cutting them off early in the attack chain. And when a threat actor is able to conduct malicious activities in the organization, early detection can help mitigate the consequences of a cyberattack.
To justify the security budget, the program must be communicated to the C-Suite and the board using a prioritized cyber risk approach that is aligned with business needs. A comprehensive methodology for uncovering relevant threats and vulnerabilities, while translating cyber risks into business risks, must be clear and concise so that the C-Suite and the board can effectively defend the budget because it is aligned with business objectives.
Developing KPIs to measure cybersecurity program effectiveness/compliance
Maintaining an effective cybersecurity program builds cyber resilience in an organization and establishes quantifiable metrics of success that influence the security culture and highlight the importance of cybersecurity in the organization. Cybersecurity awareness plays an important role, and the security team must be transparent and aligned on Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) that matter to the C-Suite and board. Security controls must be developed to support the cybersecurity program and security metrics must be aligned and tracked to understand the effectiveness of the controls.
Security controls must be adaptable to the ever-changing threat landscape and business environment. And the security team must be able to adopt appropriate controls as cybersecurity challenges arise. It is essential for security teams to measure and monitor the effectiveness of security controls through KPIs and KRIs to enable strategic decision-making to achieve cybersecurity program objectives.
By having transparent and accurate security metrics, the effectiveness and credibility of the cybersecurity program can be validated. Senior management and the board of directors will have a better understanding of where the organization’s security performance stands and will be able to make key cybersecurity decisions. More importantly, this will build confidence in the organization’s security by monitoring and continuously improving the cybersecurity program. Security metrics provide insight into areas that require attention and improvement, here are some examples of commonly developed KPIs and KRIs:
KPIs
- Incident response time: The time it takes to detect and respond to security incidents.
- Phishing Resistance Rate: The organization's success rate in resisting phishing attempts.
- Patch Management Compliance: Percentage of systems and software that are up to date with the latest security patches.
- Threat Detection Accuracy: Accuracy of threat detection systems.
- Employee training effectiveness: Success of cybersecurity awareness training by monitoring employee behavior, such as recognizing and reporting suspicious activity.
KRIs
- Vulnerability Exposure Rate: Rate of new vulnerabilities discovered in the organization's systems.
- Third-party security risk: Security posture of third-party vendors and partners.
- Cost of a data breach: Quantifying the potential financial impact of a breach.
- User Account Anomalies: Common activities related to user accounts, i.e. multiple login failures/unauthorized access attempts.
- Non-compliance with regulations: Compliance with industry regulations and legal requirements.
Security metrics are important for making cybersecurity decisions with critical KPI and KRI data, leading security teams to take proactive approaches to address any cyber threats and vulnerabilities. Well-defined security metrics can illustrate the overall security posture to senior management and the board of directors to highlight the most pressing cybersecurity issues and justify the cybersecurity budget.
Periodically reassess and update security parameters to maintain resilience against ever-evolving cyber threats.