Before co-founding the Carolina Cyber Center, I ran an incident response team for one of the U.S. Olympic Committees (there are over 50). I walked in Saturday morning with my usual checklist and was met with a row of ashen faces—not usually a good sign. What made it even worse was that the head of IT was conspicuously absent, also not a good sign. Things became a little clearer once they handed me their incident response plan.
It was over a decade old.
In a show of good sportsmanship, I reached over, repositioned the nearby trash can, and slid the document off the table into this “round filing can.” We never even opened it, for it would have been a waste of our time. No one in that room had been present when it was written, and the only one who knew anything about it was not trusted enough to have been asked to be present (the head of IT). It would have taken longer to make sense of this decrepit document than to reform one. And time was of the essence. I had been called in because of a suspected breach, as highly sensitive data on athletes was dangerously close to being (or had already been) leaked. We were running triage that morning.
I’ve talked about the importance of Incident Response (IR) before and we’ve discussed how tabletop exercises help your cyber resilience. However, that has been in the context of what you can do in-house. Now, like last week, I want to highlight why it can be beneficial to leverage independent, external resources to run tabletop exercises to improve resilience and lead to a more effective incident response plan (remember, if you’re not effective, no one cares how efficient you are). This Olympic Committee needed someone from the outside to help them lead a due diligence exercise on the incident, consolidate and put into print what form of an IR was nebulously drifting around, and they needed someone from outside the team culture to ask questions that were overlooked or missed. They also needed someone to learn what information was in “tribal knowledge” and should be codified in executable plans while a team is under duress? Tribal knowledge is extremely high in small companies—what happens if the few people who knew the answer or protocol left the company?
When I was brought in by that Olympic Committee, there were four things that I had that they didn’t. First, I was emotionally unattached to the people, the process, and the organization. When we get a crushing diagnosis from our doctor, we lean on our support person or advocate to help us make clear decisions in crisis –that advocate will not have their thinking clouded by the weight of the diagnosis; we do. It’s the same for incident response. During either the IR itself, or the simulated tabletop exercises, an external agent can provide the tools, methods, tips, and clarity of thought that can be hard to replicate with in-house resources.
Second, I had the tools and templates to jumpstart the process and direct it accordingly. It’s what I did for a living, so I knew how to do it efficiently. We realistically discerned there was viable evidence someone penetrated the Olympic Committee’s data and had access to the training records, the age, sex, location, coach, credit card, data performance of these (often minor) athletes, there wasn’t time to take the long route. Fortunately, we ultimately discerned that was not the case. No data had been exfiltrated, but it was a tenuous scene until that determination.
Finally, by bringing me in, IR team members were able to return to their jobs pretty quickly. Why? Because I could take responsibility for documenting the findings, updating the IR plan, and leaving them with a set of codified policies, practices, procedures, and run books. That’s a proper use of contractors – enabling you to get back to only what you can do, while they provide the independent counsel and service to enable you to do so.
As noted above, when I finished working with the Olympic Committee, we were able to show within a reasonable doubt that no data had been leaked; everyone could finally breathe. Their cybersecurity wasn’t only about passwords and software updates. It was also about resilience: how well can you respond to return to a sense of normalcy? A qualified external contractor is up to date on leading practices and resources to help you respond quickly and efficiently to a cybersecurity incident. It’s what they do. Sometimes, the best thing you can do for your business is bring in external support and begin the tabletop simulation process before an actual emergency occurs.