everyone: older news
C-Suite Strategies for Cyber-Resilience
by Brent Kirkpatrick
(Date Published: 1/17/2019.)
Recovering from a cyberattack or data breach usually requires 2-10 times more person-hours than your operating mode. If your normal IT operating budget for personnel is 10 FTEs, then you may need 20 FTEs or more, for the duration of recovery.
Successful recovery with cyber-resilience means that the increased cost of the recovery holds steady across the days of recovery. On the other hand, if your company's strategic approach or planning is inadequate, you will see an increasing cost for IT and security during a cyberattack. In some cases, your team can bungle badly enough that you contribute to the hacker's return on investment (ROI).
Arranging for the extra person-hours needed to recover from a cyberincident is doable if you have a software company; you just re-task programmers from your development team to the security team for the duration of the incident. However, for most companies, this is not an option and the increased cost of at incident is a logistics challenge. If you plan ahead, this challenge is surmountable. If you forgot to plan, this logistics challenge becomes a nightmare.
Most companies look to hire specialized cybersecurity consultants and flex IT professionals to provide the additional personnel necessary for recovery. The cybersecurity consultants provide technical leadership together with your CIO and CISO. The core IT team with the additional flex IT labor constitute the recovery team. If you mistakenly assume that you only need the cybersecurity consultants and your own IT people on overtime, you might encourage the incident to fester and continue for quite some time.
The leadership team for the incident come with specialty skills. Your CIO knows all the existing IT infrastructure. Your CISO knows all the existing security precautions and risks. The cybersecurity consultants come with two specialties: incident response and digital forensics. Together, the technical leadership team should be four or five people.
In order to prepare for cyber-incidents, you need to have relationships with the people that you will need. This starts with the contact information for the cybersecurity consultants and for the flex IT people. It can extend to developing key relationships, so that you can reach people when you need them. If you wait for your cyber-insurance to suggest people, the good people might be too busy and you might get the second- or third-string talent.
In addition to key relationships, you need a budget. This budget should be dedicated for cyber-emergencies. It should cover the increase in cost for a recovery time of somewhere between six weeks and six months. It is unrealistic to hope that cyber-insurance will cover everything. Furthermore, your company will need to pay-out, before the insurance will reimburse some of the cost.
You will also need a tactical plan that covers key aspects of incident response. At minimum, this plan needs to consider the human elements. How much over-time can you afford during recovery? What is the reporting hierarchy for the IT people who are re-tasked from operations to security? Does the CIO temporarily cede authority to the CISO? Who do you listen to if the CISO and the cybersecurity consultants disagree? How does the CEO and the marketing team deal with the fall-out?
Save your organization money and time with good strategies and preparation.
Trojan Hunter (TM). Digital forensics for Trojans at an accessible, fixed price. For any operating system.