Q2 Magazine 2023
Leading your organisation to stronger cyber resilience through multi-tiered exercising
Jackie Berkowitz
Consultant, Control Risks’ Crisis & Resiliency Practice
Steve Sacks
Senior Consultant, Control Risks’ Cyber Practice
Developing a common understanding of these risks between responders and business leaders is critical to enabling efficient and effective crisis response and recovery. Without an integrated approach, companies risk engaging in a disjointed response that fails to leverage expertise and capabilities across the organisation. Not only does this impact the tactical response, but the failure to communicate could cause significant damage to an organisation.
What is bringing business leaders to the cyber security table?
Businesses increasingly rely on information and technology to drive competitive advantage, execute corporate strategy, and enable timely decision-making. Information helps identify opportunities for growth and expansion, while concurrently illuminating inherent risks across the organisation.
As companies continue along their digital transformation journeys, cyber security is playing an even larger role in risk management to maintain operational resilience within respective threat landscapes.
Additionally, regulatory trends such as those indicated by policies from the Cybersecurity and Infrastructure Security Agency (CISA), The European Union Agency for Cybersecurity (ENISA) and the Cyberspace Administration of China (CAC) are driving increased accountability for Boards and corporate executives for the risk exposure of companies they oversee and manage. These policies often mandate specific practices and controls and require disclosure of cyber security plans and policies. Both are driving leaders to take a more active role in their organisation’s cyber security. This is rapidly compelling greater oversight and management by executives and Boards to ensure alignment between technical and business priorities.
The role of exercising in cyber crisis management
Table-top exercises serve as one of the most common venues for bringing together an organisation’s leadership with cyber specialists. These engagements provide opportunities for organisational crisis management teams to rehearse response processes and decision-making in a safe and controlled environment to build readiness across the team, while also providing a venue for executives to provide insight into business priorities and strategy that impact technical operations. As regulations compel Boards to take a more active role in the oversight of cyber security strategies, exercises serve to validate crisis team competencies and identify deficiencies that require additional resource investment.
Exercises highlight critical response plan decision points, each driven by a decision authority and their information needs to ensure those choices are as informed as possible. Structured discussions and rehearsals support the identification of the information needed by decision-makers before a crisis hits. These steps enable faster recovery times as technical teams can proactively push information to executives who provide guidance on business priorities, resource availability and overall business impact for the incident.
Taking a multi-tiered approach to cyber exercising
An effective method for addressing this crucial relationship is taking a multi-tiered approach to crisis management exercising. This approach brings together both business and technical leaders as they work together to prepare for and respond to a cyber-related crisis. This involves testing an incident scenario with technical responders, followed by an exercise with executive crisis management team. Lessons learned from the initial exercise subsequently feeds input to the executive level event, increasing realism and cross-team understanding of technical capabilities and capacities throughout a cyber crisis.
Collaboration between technical experts and executives enables a shared understanding of the incident within the business context leading to better-informed decisions at both levels of the organisation.
From exercise to implementation
Following the exercise series, businesses need to capture this shared understanding in their plans and policies. This allows for the common perspective amongst exercise participants to be mirrored in the organisation’s approach to business continuity, cyber security, and disaster recovery plans and policies. Lessons learned from the exercises can quickly drive document revisions to reflect areas for improvement identified during the discussions. Formalising these processes facilitates a common perspective for all members of the crisis management team and their technical counterparts, while also ensuring that alternates and backups are armed with the same information as their respective primaries.
This multi-tiered approach to exercising should also inform an integrated approach to crisis management as a whole. There are three primary levels to organisational response structure: strategic, tactical and operational. At the strategic level, executives are responsible for focusing on strategic issues that impact the organisation’s core objectives. At the operational level, leaders of business units are responsible for assessing, managing, and coordinating the continuity of their respective processes in the medium and short term. And at the tactical level, teams handle the immediate effects of an incident, primarily focused on the continuity of activities that contribute to the processes that deliver the prioritised products/services of the organisation.