Every breach of your network or denial of service attack is serious, but it’s not necessarily a crisis.
A crisis is Sony Entertainment’s servers being wiped. A crisis is Ashley Madison’s membership being exposed.
And sooner or later, warns Chris Williams, chief cybersecurity architect of Virginia-based systems integrator Leidos Holdings, IT leaders in every organization will face a heightened security situation.
When that happens, he told infosec pros Wednesday in Toronto at the SC Congress conference, they’d better be prepared – and prepared to keep calm.
“Until we embrace the new paradigms of cybersecurity, this (a crisis) is probably going to be a future trend.”
The co-author of the textbook “Enterprise Security,” Williams likens what IT will face to playing baseball and it’s raining baseballs – and people will be dropping the ball everywhere.
“When you run into a crisis you are going to run off the end of your contingency plans. Your plans will not have accounted for this because it is so dire that your engineers didn’t even consider it was worth thinking about.” That’s when IT leaders have to be open to new ways of thinking – and the sooner the better.
“Your organization has been optimized for normal operation, meaning it has been streamlined … to be lean and efficient, which means there is little to no excess capacity to accommodate a crisis.” The organization, –especially middle managers — will be overloaded the leadership gave general direction and will be running around trying to make it happen. They won’t have the bandwidth to make educated decisions, which creates a bottleneck. So lateral communication will be key. Manager won’t have time to give guidance to everyone, because they’ll be running in and out of meetings, so directions will go to one report who will have to spread the word.
Meanwhile getting good status reports will be difficult, in part becasue no one knows what’s important. Expect middle managers to ask for irrelevant information like how many servers are back up. “One of the challenges you’re going to have a subordinate level is reading between the lines of what is management trying to accomplish,” he said.
Among his pieces of advice:
–When you think you’re over your head, the scope is more than you can handle in a day or it will cost a lot to recover that’s point to make a preliminary report to senior management. It should include what you know, what you don’t know, what is understood about the attacker, what will be required to stabilize the situation, what required to resolve the situation, what help should be called in immediately to start the response’
–figure out what management needs to know. It will help to make a chart that says what IT’s goals/milestones for recovery are and how far you are right now in achieving it;
–if you have to quickly write an RFP to hire a third party for help and are unprepared, don’t be afraid to ask them for help on the terms. A good contractor will understand your situation and say, ‘Here’s what you should be asking of me.’ Better that than a poorly drafted RFP;
–money is your friend – in fact it may be the only resource that is easily obtained. Money can buy resources, expertise, free up your staff, buy service to get business restored;
–take care of your people. (In fact, he says, if possible use HR or other staff while they wait for their systems to come back online.) They’ll need backup relief, food, daycare, dry cleaning. Make sure they don’t burn out, so establish work schedules and enforce them;
—-there will be a tension between security and IT that has to be managed. IT wants everything up. Security wants everything locked down. Manage this by “maximum allowable risk” doing things ‘quick and dirty’ and then build from that to getting back to full operating capacity.
There are five factors in crisis operations, he said: Plan (you have to have a plan to get an organization to do something, otherwise you’ll be paralized); Process (need processes for co-ordination and communication. Perhaps a war room). Prioritization (you can’t do everything at once. What goes up first: Operations, infrastructure, contingency systems, communications?) Parallelism (put all available resources to productive work); Sequencing (have to get the network up before the virtual machines).
In an interview Williams said the worse mistake organizations make in a crisis is not bringing in help. “They chose not to get help either because they don’t know exactly what they need or subordinates are scared to ask because they know it will cost money or will take work.” Instead they try to work through the crisis, miss goals and the recovery falters.
But he also said the CEO, CIO and CISO have to work together to keep business, IT and security recovery risks balanced. A good compromise, he added, is when all three are equally dissatisfied with how the recovery is going, because it’s likely the three areas are balanced.
Above all, he said, “Think about crisis planning now, before it’s a crisis.”