Testing your response to a cyber-attack will save you resources in the event of a real incident, but for many organisations taking the first step in exercising can seem like a big commitment in time and energy.
As an infosec professional you know that one of the main keys to success in your role is how well you can explain the importance of cyber risks to senior management and get their buy-in for future projects. It’s a hard job – times are tough and money spent on “cyber defence” inevitably means less money for growing the business. That is a narrative we as an industry have always had to battle.
Getting approval for a cyber exercise is bit different in one key respect, you don’t just want them to approve money and the spending thereof you want them to actually TAKE PART too!
If we put ourselves in their shoes for a moment you can understand their reluctance to participate. Firstly, it sounds like a lot of time and effort away from their primary duties. Secondly, it sounds like a test and nobody wants to face a test they suspect they will likely fail. Finally, they assume that the money the company puts into cyber defence is to stop cyber-attacks so why are we now rehearsing for the very thing we pay lots of money to prevent?
The majority of our clients have never run a proper cyber exercise before or if they have it has been more of a roundtable discussion. Very few clients we work with have more than one or two exercises in their past and those that do tend to only be in financial services.
So if this is your first ever exercise at your organisation or if this is your first externally led exercise this article can help you “sell” the need for resilience exercises to the people who need it most, your crisis management team.
Know your audience
The better you know your audience the better your chances of getting their support.
Who are they? What are their priorities, interests and concerns? Think about ways your project goals align with theirs. How does improving your organisations response to a cyber-attack help HR, Finance, Comms? How would it make their life easier in the event of an attack?
Get Supporters. You probably already know who is most likely and least likely to support your request for an exercise. Get those people on board, pre-sell the exercise if that is possible or appropriate.
Speak their language. Talk about the things that matter to them, in the way they are used to talking about them. What are the key business priorities for 2023 and what are the key departmental priorities for that period? List them out and think about how a cyber-attack could set those plans back. Frame the exercise in the terms that matter to the audience.
Fit it in as part of an existing ongoing programme. A cyber exercise brings together lots of separate components that support the organisations’ function. It helps to unify your response to cyber risk, rather than being another component in a shopping list of defences.
Explain it in simple terms
You have a non-technical audience, don’t make them decode unnecessary technical jargon. In many ways a cyber exercise is one of the easiest things to explain simply: “it’s like a fire drill for our response to a cyber-attack”. It is practical, hands-on and produces tangible results.
Getting exec approval for a cyber exercise involves communicating the benefits both to the company and the crisis management team. The key benefits are:
- Improve the skills of your Crisis Management Team (CMT);
- Test existing incident response plans;
- Improve internal and external communications;
- Improve response and recovery times;
- Establish clearly what the critical business services are, what workarounds could be implemented and what dependencies exist; and;
- Build awareness of cyber risk
Explain the risks of not running an exercise
Articulate that in a cyber incident it is the CMT that will be having to make the strategic decisions, it is the CEO that will have to stand in front of the press and explain what happened, it is them that will have to call shareholders, speak to regulators and approve public comms statements admitting what has happened. All of that falls on them, not the cyber team. The only way we can make that easier on them and reduce the fallout is to practice what we would do at a time where it is okay to make mistakes.
It also gives them a great comms line: “thankfully we have rehearsed this scenario whilst trying to be prepared…” In cyber security sometimes we want people to do the right things security wise for the right reasons, but ultimately it’s the end result that counts.
Key data points you may wish to use
- Cost of a data breach expected to exceed $5000,000 in 2023 (Acronis)
- Companies that have an incident response team and extensive testing of their response plans reduce their breach cost by 25% in the event of an incident ($1.2 million USD) (IBM)
- Companies that test incident response plans are able to respond quicker and more effectively in the event of an incident.
Phrases we like to use
- An exercise is a safe space to make mistakes;
- We want to get your input on how we can all improve our resilience;
- It is a “training event” that is aimed at improving the competence and confidence of the CMT;
- It gives you an opportunity to practice your role;
- It is more of a workshop than a test; and
- It’s an opportunity to explore new ideas to improve.
A well-run exercise is a great opportunity to strengthen the resilience of your organisation and improve the teamwork you have. Make it sound like an achievable, beneficial and positive experience! We have found in all the exercises we have run the Crisis Management Team leave saying they enjoyed it and found it useful. The key is for them to have a positive experience, because ultimately resilience isn’t built in one exercise so we will need them to do it again in 6 – 12 months!
Getting exec approval for a cyber exercise can be a challenge but if you know your audience, can explain the benefits of an exercise in simple terms and can get some members of the board on side, you have a better chance of getting an exercise and building awareness of cyber risks within your organisation.