All Fun & Games

Business Continuity Plans; probably the most important, yet undervalued and underfunded, part of your security team. This is the team that deals with what might happen to kill you tomorrow, versus what is actually killing us today. A justifiable investment is very hard to make, because they prove their worth when nothing happens; much like the rest of security, but that nothing is going to happen at some unspecified time in the future.

And then something happens, and the leadership are baying for your blood, crying “why didn’t we do something about this before?”. After an initial flurry of investment and interest, it dies down again to pre-crisis levels, and trhe sequence continues.

Maintaining that level of interest is very difficult in virtually any modern business because of the common demands on any listed company; quarterly earnings reports that continually drive down general and administration costs (you are an overhead there, Mr Security), and lurching from one poor investment briefing to another mean there is little room for “what if” investment.

So let’s play some games instead. If they won’t take its seriously, then neither will we. (That’s supposed to be sardonic, by the way.)

How to test your plans!

Doing tabletop exercises and practising the the plans you have in place is a great way of gaining interest in what it is you are doing, but can be very challenging g to start. The people you are targeting are, after all, the most senior and time poor people in the company. So, let’s start small.

Start with a team within your sphere of influence that has a role to play; maybe the SOC team, and include if you can the departments of peers, such as Legal or Communications. Run a scenario over an hour, record it, document it, create a transcript if need be, and share that report as widely as possible. Make sure you clearly record somewhere that you carried out the test as well, it’s useful fro compliance reasons.

Then rinse and repeat, and each time rely ion the success of the most recent exercise to build the scale and seniority of the exercise. It always surprises me frankly, ho much senior executive try and avoid the exercises, but thoroughly enjoy them when they finally submit to one. it is like they finally see the real world impact of what it is they are doing and the influence they can leverage during times of crisis. I could theorise about the egotistical nature of the phenomenon, but i will leave that to the psychologists and other trick-cyclists.

As the scale of the tests get larger, consider not only running them over longer periods of time and bringing in third parties to manages. This helps in two ways:

  1. You get to be directly involved in the exercise without knowing all the “answers”.
  2. They can bring a level of expertise you won’t have had, as well as tools and bespoke environments to practise with.

These can be run over extended periods, normally no more than a day, but can go beyond if supported. Four hours is a good place to start, with a working lunch in the middle (it helps attract people; everyone loves a free lunch). These third parties may be able to bring additional technology such as a dedicated virtual environment that includes a physically separate network, dedicated laptops, tablets and phones, that ensure the environment is carefully tracked and recorded, and no real world disruptions are encountered. Finally, they can also add real people to interact with, actually phoning the participants, “tweeting” or posting on other social media as part of the exercise, giving an even more realistic feel.

If you want to go extra fancy, you can even run them over multiple geographies, but make sure you can walk before you run!

Given recent circumstances with COVID-19, the lockdown and massive changes to working practises, being able to respond quickly to dramatic changes in the working environment is no longer an exercise in the impossible future, but rather planning on how to operate in a fast moving, ever changing and dangerous environment whilst still maintaining a running and profitable business.

This could be your next tabletop exercise.

That doesn’t sound like a game to me.

Are you trying to get your Business continuity and Crisis Management plans out of the document and into an actual exercise for your business but don’t know how to start? (TL)2 Security can help with everything from your initial plan to a full day exercise. Partnering with industry leading organisations to bring the Situation Room to your business, and ensuring you have real world and actionable improvements and observations at the end of the process, contact (TL)2 Security for more information.


CSARN Organisational Resilience Conference

I was able to attend the City Security And Risk Network (CSARN) conference on organisational resilience today. It was a very well put together one day event with speakers from a broad range of companies and backgrounds such as the Police Force as well as military and traditional consultancies.

The key focus of the day though was of course on elements of organisational resilience such as incident and crisis management, the terrorist threat, global travel planning and the associated risks (in this case played against a backdrop of maintaining operations during the Arab Spring) and of course business continuity management. The speakers were knowledgable, and approachable during breaks for further questions. Justin Crump did a cracking job of maintaining order throughout the day and ensuring the audience was engaging well with the speakers.

Halfway through the day there was a panel discussion focussed on “building and embedding effective cyber security structures”, and I was pleasantly surprised to have been asked last week to be on the panel itself. (Cue jokes for how far down the list they had to go before they got to me etc…). Also on the panel with me was Geordie Stewart (who I am also speaking with at RSA and Paul Simmonds (Co-editor, Cloud Security Alliance “Guidance” v3 Co-founder & Board of Management, Jericho Forum Former CISO, AstraZeneca). I felt it came across as a very well balanced discussion, with some very insightful and focussed questions from the audience. I had been primed that the audience was not that well versed in all things “cyber”, but that didn’t really come across which made for a very enjoyable and engaging discussion.

We covered topics such as sources of cybercrime (state sponsored, organised crime and so called chaotic actors), what our thoughts were on the biggest threats coming out of the “cyber” threat and what we could be doing better at international levels. When each asked what the single take away from the discussion, mine was a rather glib, if valid, “plan for failure”; another strong take away to my mind was “get the basics right, everything else comes second”. Again, it sounds glib and from the school of the bleeding obvious, but over complicating any challenge is so easily done.

If I had one piece of critical feedback (well, two actually) it was that towards the end the presentations seemed to move into blatant sales pitches; now I understand sponsors need to get a return on their sponsorship, but it was the wrong forum to my mind for sales pitches. Secondly, I wouldn’t do something like this again on a Friday; it felt like half the audience had left come 2 o’clock, which can’t have helped the afternoon speakers at all!

I thoroughly enjoyed myself though, have some great key takeaways specifically for my business continuity planning, and I hope have planted the seeds of being able to return again in the future as a solo speaker!

My thanks to Acumin and CSARN for giving me the opportunity to be on their panel, especially alongside two people whom I admire in the industry.