All Fun & Games

Business Continuity Plans; probably the most important, yet undervalued and underfunded, part of your security team. This is the team that deals with what might happen to kill you tomorrow, versus what is actually killing us today. A justifiable investment is very hard to make, because they prove their worth when nothing happens; much like the rest of security, but that nothing is going to happen at some unspecified time in the future.

And then something happens, and the leadership are baying for your blood, crying “why didn’t we do something about this before?”. After an initial flurry of investment and interest, it dies down again to pre-crisis levels, and trhe sequence continues.

Maintaining that level of interest is very difficult in virtually any modern business because of the common demands on any listed company; quarterly earnings reports that continually drive down general and administration costs (you are an overhead there, Mr Security), and lurching from one poor investment briefing to another mean there is little room for “what if” investment.

So let’s play some games instead. If they won’t take its seriously, then neither will we. (That’s supposed to be sardonic, by the way.)

How to test your plans!

Doing tabletop exercises and practising the the plans you have in place is a great way of gaining interest in what it is you are doing, but can be very challenging g to start. The people you are targeting are, after all, the most senior and time poor people in the company. So, let’s start small.

Start with a team within your sphere of influence that has a role to play; maybe the SOC team, and include if you can the departments of peers, such as Legal or Communications. Run a scenario over an hour, record it, document it, create a transcript if need be, and share that report as widely as possible. Make sure you clearly record somewhere that you carried out the test as well, it’s useful fro compliance reasons.

Then rinse and repeat, and each time rely ion the success of the most recent exercise to build the scale and seniority of the exercise. It always surprises me frankly, ho much senior executive try and avoid the exercises, but thoroughly enjoy them when they finally submit to one. it is like they finally see the real world impact of what it is they are doing and the influence they can leverage during times of crisis. I could theorise about the egotistical nature of the phenomenon, but i will leave that to the psychologists and other trick-cyclists.

As the scale of the tests get larger, consider not only running them over longer periods of time and bringing in third parties to manages. This helps in two ways:

  1. You get to be directly involved in the exercise without knowing all the “answers”.
  2. They can bring a level of expertise you won’t have had, as well as tools and bespoke environments to practise with.

These can be run over extended periods, normally no more than a day, but can go beyond if supported. Four hours is a good place to start, with a working lunch in the middle (it helps attract people; everyone loves a free lunch). These third parties may be able to bring additional technology such as a dedicated virtual environment that includes a physically separate network, dedicated laptops, tablets and phones, that ensure the environment is carefully tracked and recorded, and no real world disruptions are encountered. Finally, they can also add real people to interact with, actually phoning the participants, “tweeting” or posting on other social media as part of the exercise, giving an even more realistic feel.

If you want to go extra fancy, you can even run them over multiple geographies, but make sure you can walk before you run!

Given recent circumstances with COVID-19, the lockdown and massive changes to working practises, being able to respond quickly to dramatic changes in the working environment is no longer an exercise in the impossible future, but rather planning on how to operate in a fast moving, ever changing and dangerous environment whilst still maintaining a running and profitable business.

This could be your next tabletop exercise.

That doesn’t sound like a game to me.

Are you trying to get your Business continuity and Crisis Management plans out of the document and into an actual exercise for your business but don’t know how to start? (TL)2 Security can help with everything from your initial plan to a full day exercise. Partnering with industry leading organisations to bring the Situation Room to your business, and ensuring you have real world and actionable improvements and observations at the end of the process, contact (TL)2 Security for more information.


Command, Control, and Conquer

Back in the ’90s, there was a game released called Command and Conquer, a strategic game whereby you had to manage resources, build, train and mobilise armies and conquer the neighbouring armies. It was a classic that spawned many spin-offs, sequels and addons for decades. What struck me about it though was how multi-skilled you had to be, especially in the later levels.

You couldn’t just be an excellent Field Marshall as you also had to manage resources, cash and other materials to create your buildings and structures that allowed you to create your army in the first place. You had to know logistics, how long something would take to build, train and mobilise, look into the future at new locations for better access to materials, and also have plans in place if the enemy attacked before you were ready.

Essentially, you were skipping from one crisis to the next, finely balancing between success and crashing failure. It sounds a lot like any modern-day incident management situation really.

In this week’s The Lost CISO (season 2), I take a quick look at incident management and highlight four key points to remember during an incident. In case you haven’t seen it yet. here it:

The bottom line is that, much like in the Command & Conquer game, you could plan ahead what you were doing because the environment was constantly changing, the unknowns were stubbornly remaining unknowns and the literal (in the case of the game) fog of war meant you can’t see more than just a few steps ahead. There are though some keys to success.

The first key point is that having a plan is all well and good, but as my military friend regularly tell me;

no plan survives contact with the enemy

Why? Because the enemy much like life does random, unexpected and painful things on a regular basis. Incidents have a habit of doing the same thing, so if your plan is rigid, overly explicit and has little room to ad-lib or manoeuvre in, it will fail.

Therefore, my approach has always been to build any kind of plan around four simple areas:

  • Command
  • Control
  • Communication
  • Collaboration

In other words, decide who is in charge, decide who is responsible for what areas, ensure everyone knows how to talk to each other, ensure everyone works openly and honestly with everyone else. There may be some other details in there as well, but really, if you have these four areas covered your plans will remain flexible and effective, and you may find yourself being able to close incidents more quickly and efficiently.

With all that extra time on your hands, you can then spend some time basking under the Tiberian sun.


Sailing the High Seas at 44CON

logo-1I have just returned from 44CON, a technical infosec conference that is held in London and in its third year. As with any multi day conference you come back tired but educated, and happy but deflated that it is over. A speaker party, a conference after party, two gin’o clocks, a conference bar and some fabulous presentations makes for an exhausting two days.

Organisationally it is extremely well run; the crew are are friendly, knowledgable AND efficient (it’s rare to have all three), the venue is of a high quality, the sponsors are low key but available, SpeakerOps is excellent, and with the exception of myself and two others the attendees are amazingly smart and technical. I was able to chat to a number of the speakers at a reception on Wednesday night, and the level of detail they went into for their research was simply mind-blowing; one person even decided to write his own 3D presentation language instead of using PowerPoint or Keynote, just for this one presentation!

I spent the first day mostly at the InfoSec track rather than the technical track, learning about “Security lessons from dictators in history” and “Surviving the 0-day – reducing the window of exposure”, both very good. I did attend a technical talk in the afternoon along with two friends (the two mentioned above!), and to be honest he could have been speaking a different language with what he was talking about; to make it worse he apologised at the end for not making it technical enough! It was a fabulous talk though, wonderfully presented, and let down only by my lack of technical knowledge of the subject.

As a backup speaker for the infosec track I thought I was off the hook at this point as nobody had dropped out, but it was announced at this point that there would be a “hidden track” of talks, of which I was one of them. This hidden track would take place at an undisclosed location and you had to talk to vendors and other con goers to find out where it was. It was at this point I excused from the after party to add a little more content to my slides.

Sailing the Cs of Disaster Planning 44Con.001

Sailing the High C’s of Disaster Planning – Click for PDF

The following morning, after the opening presentation I was second in the hidden track. My talk was entitled “Sailing the C’s of Disaster Planning”, and the main drive of it was of a simple “framework” that allows you to be be able to not only test the effectiveness of your disaster/business continuity planning, but also help to communicate the key elements of the plan upwards to the board and down through the key players in the organisation. This was the first time I had given this talk, and to be honest some of the ideas have not quite been fleshed out, although the concept is sound. It was well received by about 20 people (not bad given it was a hidden track) and there were some good questions and conversations afterwards. Feedback received later in the day was both encouraging but also useful in highlighting areas that need to be improved.

A copy of the slides are above; if you take a look at them please provide feedback as always (caution, 12.5Mb PDF).

I will be using this blog to flesh out those ideas and gather feedback over the next couple of months, firstly by looking at the high level concepts of this approach, and then subsequently break down the five elements of the approach into further blog posts.

The remainder of the second day at 44CON was taken up with more talks, as well as a bit of filming with my two colleagues, the two unknown hosts you could say, for something we hope to release in the next few weeks.

I would like to thank Steve and Adrian and the entire crew of 44CON for an excellent event, and I am certainly coming back for next year, at a new, larger yet undisclosed location.


CSARN Organisational Resilience Conference

I was able to attend the City Security And Risk Network (CSARN) conference on organisational resilience today. It was a very well put together one day event with speakers from a broad range of companies and backgrounds such as the Police Force as well as military and traditional consultancies.

The key focus of the day though was of course on elements of organisational resilience such as incident and crisis management, the terrorist threat, global travel planning and the associated risks (in this case played against a backdrop of maintaining operations during the Arab Spring) and of course business continuity management. The speakers were knowledgable, and approachable during breaks for further questions. Justin Crump did a cracking job of maintaining order throughout the day and ensuring the audience was engaging well with the speakers.

Halfway through the day there was a panel discussion focussed on “building and embedding effective cyber security structures”, and I was pleasantly surprised to have been asked last week to be on the panel itself. (Cue jokes for how far down the list they had to go before they got to me etc…). Also on the panel with me was Geordie Stewart (who I am also speaking with at RSA and Paul Simmonds (Co-editor, Cloud Security Alliance “Guidance” v3 Co-founder & Board of Management, Jericho Forum Former CISO, AstraZeneca). I felt it came across as a very well balanced discussion, with some very insightful and focussed questions from the audience. I had been primed that the audience was not that well versed in all things “cyber”, but that didn’t really come across which made for a very enjoyable and engaging discussion.

We covered topics such as sources of cybercrime (state sponsored, organised crime and so called chaotic actors), what our thoughts were on the biggest threats coming out of the “cyber” threat and what we could be doing better at international levels. When each asked what the single take away from the discussion, mine was a rather glib, if valid, “plan for failure”; another strong take away to my mind was “get the basics right, everything else comes second”. Again, it sounds glib and from the school of the bleeding obvious, but over complicating any challenge is so easily done.

If I had one piece of critical feedback (well, two actually) it was that towards the end the presentations seemed to move into blatant sales pitches; now I understand sponsors need to get a return on their sponsorship, but it was the wrong forum to my mind for sales pitches. Secondly, I wouldn’t do something like this again on a Friday; it felt like half the audience had left come 2 o’clock, which can’t have helped the afternoon speakers at all!

I thoroughly enjoyed myself though, have some great key takeaways specifically for my business continuity planning, and I hope have planted the seeds of being able to return again in the future as a solo speaker!

My thanks to Acumin and CSARN for giving me the opportunity to be on their panel, especially alongside two people whom I admire in the industry.