Guest Contributor: Heather Engel, Managing Director and Cyber Strategist, Strategic Cyber Partners

If your company has any type of regulatory cybersecurity requirement, chances are those requirements include a Cyber Incident Response Plan. Whether DFARS 252.204-7012 to PCI to ISO 27001, incident response is a critical piece of your compliance and risk mitigation.

But when is the last time you exercised your incident response plan?

Your IR Plan is the blueprint your organization will follow – not just in a major event, but multiple times over the course of a year. Too many of our clients think of an IR plan as something on the shelf to be pulled out for when the BIG cyber breach occurs – ransomware, malware, or massive data loss.

The truth is, that’s the worst time to have to dust off and follow a plan that you haven’t looked at in months. Cyber security events happen regularly – every day for some organizations. Not big enough for executive leadership to get involved, but significant enough that someone has to decide how to handle it. Is it a false positive? An indication of a larger, coordinated attack? Do you ignore it? Investigate? What elevates an event to an actual incident?

True cyber maturity comes from procedures and decision-making being second nature to those in the organization, and that includes cyber incident response. We prepare by having layered defenses in place, procedures to respond to events big and small, and by training for the big event. You wouldn’t try to run a marathon without mapping the course, knowing where the water stops are, and maybe running a few 5Ks (at least).

Incident response is the same.

So why don’t most companies exercise the Cyber IR Plan? Organizations moving towards a more mature cyber posture are often still caught in a reactive state. If you are a CIO, how many times has a day gone off the rails to respond to a technical rollout gone wrong, or answer an unexpected data call? With barely enough time to get day to day tasks done, who in the organization is tasked with planning an exercise?

Making the move from reactive to proactive is sometimes the hardest leap.

For companies supporting the U.S. Department of Defense, not only is an incident response plan required, but exercises and after-action reporting are too. A solid and mature IR capability is one of the most important requirements, because the ability to quickly stop an attack in progress, recover, and manage the event is key to limiting the damage and protecting your business.

When working with our clients on IR planning, we follow the crawl, walk, run philosophy. Too many companies think an exercise has to involve failover and potentially technical down time. It doesn’t. Once the IR Plan is in place, the first step is to make sure everyone who has a role in responding knows what that role is and when they are needed.

Next, we generate a simple scenario with a few injects that identify gaps or outstanding risk. This kind of exercise takes a few hours and brings an element of realism that participants remember even after the event has ended. Then, we create an after-action that documents the gaps, provides tasks for gathering more information, and update the plan.

You could, of course, do this yourself, but creating the exercise injects and facilitating the exercise is where many organizations get stuck. Strategic Cyber Partners works with and recommends FirstLook, a customized inject based scenario from PreparedEx for incident response of all types, including cyber. Rather than just a walk-through of the IR Plan, FirstLook provides actual what-ifs, and concludes with after-action items. For organizations who need to show a proactive, mature IR capability FirstLook is cost-effective and time-efficient, AND provides real results.

Interested in learning more about Cyber IR Planning, or FirstLook? Contact us: [email protected] or [email protected]

Guest Contributor: Heather Engel, Managing Director and Cyber Strategist, Strategic Cyber Partners

Heather Engel is a strategic advisor to government and industry clients specializing in executive support, risk management, cyber and business continuity planning, and security program development. She founded Strategic Cyber Partners in 2019 and is the Managing Partner.

She is a recognized expert in risk analysis and security frameworks including FedRAMP, NIST 800-53, FAR and DFARS cyber security requirements, U.S. Department of Defense instructions and guidelines, the New York State DFS Cybersecurity Framework, and PCI DSS. She is a frequent author and featured speaker.

Ms. Engel graduated from the Pennsylvania State University and earned a Master of Business Administration from Florida Institute of Technology. She holds numerous industry certifications including CISSP, CISM, and CISA. Prior to Strategic Cyber Partners, she worked as an advisor for DoD clients at Booz Allen Hamilton, General Dynamics, and a commercial cyber security firm. She is active in several community initiatives including the Commonwealth Cyber Initiative, ISC2 Safe and Secure Online, and Women in Cybersecurity (WiCyS).