Castellan brings every aspect of resilience management – from readiness to response – together in one place, so you can stop hoping and start knowing.
Now you’re ready.TM
Ransomware attacks. Phishing schemes. Record exposures. Fines and lawsuits. More and more breaches.
These are among the many topics dominating news stories, especially since the outbreak of the pandemic two years ago.
When you hear about these events, how often, as a business professional, do you stop and wonder if something like this could happen to your organization? And if it did, how prepared would your team be to respond?
That’s what we chatted about recently with Jason Barr, Chief Information Security Officer at Ada Support, in episode 9 of Castellan’s podcast, “Business, Interrupted.”
As we see a growing number of businesses dealing with the impacts of successful cyber breaches, here at Castellan we’re encouraging our clients to move from the traditional approach of planning for what might happen “if” an attack occurs to building a proactive, reactive, and holistic approach to what you’ll do “when” it does.
This, at its heart, is cyber resilience—a critical, but often-overlooked component of resilience management.
When we talk about cyber resilience, it’s all about being prepared for a cyber disruption with built-in planning for organizational flexibility and adaptability for response. It’s about your organization’s ability to bend in the wake of a cyber event, not break, regardless of threat type or complexity.
And when it comes to that shift from “if” to “when,” Barr says he is 100% on board.
“There’s no question,” he said. “It’s just a matter of time. If you haven’t been here. Don’t worry. It’s coming. You just have to wait for your turn, so to speak, but everyone is subject to these.”
What we’re also seeing across industries, especially in terms of ransomware, is attackers aren’t just hitting once and walking away. When they know there’s a target, some will come back multiple times trying to extort more money from your organization.
“And it’s just one of those areas that I think we’re going to continue to [see] get worse,” Barr said.
That’s why cyber resilience is so important. It means your organization has done everything you possibly can to prevent an attack, but when you face one, you’re ready to learn and adapt for effective response.
Cyber resilience isn’t just a theory. It’s about implementing governance, processes, and controls to continuously analyze your risks, prioritize how to respond to them, and have plans to mitigate or remediate those risks, while being well-prepared to respond to a disruption.
At the top of the list is incident response plans and testing.
Anyone who has experienced a cyber incident knows when it happens, it can get a bit chaotic internally. People freak out, asking what happened? What do we do? How bad is it? How much money will this cost us?
Your incident response plans and playbooks—especially those you’ve tested and matured—are key to managing this chaos.
Another critical component is ensuring you’ve got an up-to-date inventory for all of your critical assets, processes, and people responsible for them. If something happens, does your team have a good understanding of what needs to be tackled first and why?
Because environments and the threat landscape are constantly evolving, it’s critical you understand both, in their most current state.
Cyber resilience means your team members are trained in incident response and that they have an understanding of a breach impact on your critical operations.
“If you’ve done your job properly and set up network diagrams, data flow diagrams, and data maps, you should have a pretty good idea of the areas of exposure and understand, ‘here’s the areas we’ve got to concentrate on,’” Barr explained.
Another important cyber resilience capability focuses on logging. If an event happens, can your teams access current logs with accurate information so you can gain more insight into what may be askew in your environment?
When we talk about cyber resilience, some executives want to cover their ears because they worry it will be a lot of technical jargon they won’t understand. The reality is, however, that cyber resilience is more than an IT issue. It’s a program that aligns your cyber response capabilities and goals with your organization’s business processes and goals. It’s about everyone speaking the same language in terms of how cyber and IT issues relate to business continuity at all levels.
And that goes beyond what’s just inside your business. A more holistic approach will also include how you engage with your key stakeholders, vendors, partners, your customers, and the general public. If you have an event, are your teams across the board,—think HR, public relations, marketing, executives, etc.—able to respond?
When it comes to cyber resilience, especially in today’s challenging employment market, some organizations just don’t have the proper resources or skilled professionals to build a truly resilient cybersecurity program.
Instead of piecemealing response plans together, it may be more effective to build relationships with third-party consultants who have experience and resources to oversee this important work for you—or to work closely with your existing team to fill in where you may have gaps.
Maybe you need help creating or updating policies and governance. Maybe you need clarity about which frameworks and controls make sense for your organization. Maybe you need an outside consultant to look at where your cyber response program is today and make recommendations to mature it to the levels you want it to be.
A third-party or consultant can be key in helping you identify and close these gaps.
Whether you’re using internal teams or working closely with consultants, when we’re talking about maturing your organization’s cyber resilience, it may be helpful to look at it from a crawl, walk, and then run approach.
It’s not about tackling every component—every framework and control—but instead, establishing your current cybersecurity profile and then identifying your target profile—where you want to be.
For example, start simple. Identify where you have gaps that your organization should close over time, and then make plans to address those gaps based on your existing and future resources.
“You start with something and move it forward,” Barr recommends. “I think oftentimes companies are caught trying to ‘boil the ocean.’ You know, put in a massive playbook and make it all work.”
Instead, it may be more effective to start small and build from there.
For example, establish a minimum number of tabletop exercises and use those to build muscle-memory for response and application. This can help your teams get a better understanding and perspective of what response will look like for your organization.
Create real-world scenarios to gain a better understanding of impact on operations:
There may be few things worse from a resilience management perspective to think you’re well-prepared only to find out during a crisis, you’re not. Cyber resilience planning can help eliminate that guesswork, whether that’s an internal issue, a problem along your supply chain, or questions about how cyber insurance will support your organization during and after an event.
Don’t wait for a headline-making security issue to become a reality for your organization to start preparing. Remember, it’s no longer about that “if” mindset when it comes to preparing for a cyber-attack. Now is the time to prepare for “when.”
Would you like to hear more of our conversation with Jason Barr and learn more about how you can build cyber resilience into your existing business continuity program? Check out episode 9: “Cyber Response: When Headlines Become Your Reality with Jason Barr,” from Castellan or wherever you listen to your favorite podcasts.
Now you’re ready.TM
Get resilience insights delivered to your inbox.
Save a spot in our upcoming webinar “Crisis Management in a Hybrid World” on Wednesday, June 22nd at 10:00am ET / 3:00pm BST.