Build capabilities, not just plans

After taking part in the launch of the Cyber Crisis Simulator, Phil Venables of Goldman Sachs shares his thoughts on why incident response should focus on human capabilities – not on playbooks.

I really enjoyed participating in a live crisis simulation to mark the launch of Immersive Labs’ Cyber Crisis Simulator. This type of approach builds “muscle memory”, which is extremely valuable for all organizations.

The human response to incidents, whether operational or security, can dictate the depth of impact. During an emerging incident, how you organize yourselves and event triage is critical, especially in the first 30 minutes. This is best done with experience and perhaps a checklist or playbook. More detailed plans or procedures are useful, but only as the incident evolves over the coming hours and days. Also, most crises are unique, even if they share some common elements, so even the best-laid plans need some improvisation. Extremely detailed and prescriptive plans become dated very quickly – and they’re hard to update.

So, how do you increase your resilience to events while also pre-building technical competence? The answer is simple: focus on building human capabilities, not on writing more plans. The beauty of this approach is that these capabilities are highly adaptable, don’t age, and once in place, can be continually reinforced with specific drills to build muscle memory. It’s like building a resilient human infrastructure into which specific modules can be plugged depending on the crisis of the day. 

Let’s take a look at how you can make this work. First and foremost, ensure you have a good understanding of the baseline capabilities that allow core business functions to operate. The people, processes and technology that create value in your company should be mapped, monitored and used to support everyday operations within cost and capacity constraints.

Next, draw up a list of scenarios and use them to test your core capabilities. Don’t get this confused with crisis response drills: this is about ensuring the capabilities you need will not fall over during a crisis exercise or, god forbid, during the real thing. Then, you can run a series of micro-drills and test, test, test. This is where the Immersive Labs approach is useful for security teams, as it allows teams to run very specific drills for an hour or so without the overhead of a full crisis exercise. It’s like agile development but for cyber crisis response. 

Use the learnings from these small-scale tests to help minimize the blast radius of potential events and uncover problems you hadn’t even considered. It can give you the uncanny ability to ‘look into the future’ and predict potential problems.   

Only when you have done all of this should you start documenting and writing playbooks. These should be specific and evidence-based; for example, how to activate a crisis call tree, what eight things to do in the event of a ransomware incident, etc. Relevance to specific events will augment response effectiveness should the worst happen. 

Finally, underpin everything with an effective crisis leadership structure. Create specific, focused groups that genuinely advance activity in an incident. 

Building capabilities in this way will ensure security teams have a more agile, effective crisis response – and, most importantly, a platform for continual improvement. 

Phil Venables

Published
29 July 2020

We help businesses to increase and evidence human capability in every part of cybersecurity.

Legal