Dans le paysage actuel des menaces, la rapidité et l'efficacité de votre réponse aux incidents peuvent faire la différence entre un incident mineur et une violation catastrophique. La question n'est pas de savoir si une cyberattaque se produira, mais quand, et la préparation reste votre meilleure ligne de défense. Les exercices sur table ne sont pas seulement une pratique - ils sont essentiels pour exposer les vulnérabilités, affiner votre stratégie et s'assurer que votre équipe est prête au combat lorsque le monde réel frappe. Assistez à ce webinaire et écoutez les responsables de la sécurité parler de la nécessité de.. :
- Comprendre le rôle essentiel des exercices de simulation pour identifier les vulnérabilités et affiner les stratégies de réponse aux incidents.
- Apprenez à améliorer la coordination de l'équipe et les délais d'intervention grâce à des exercices d'intervention efficaces.
- Découvrez les meilleures pratiques pour préparer votre organisation à gérer efficacement les cyberattaques réelles.
Good afternoon or good morning. Doctor Dustin Sachs here, Chief Technologist, Senior Director of Programming for the CyberRisk Collaborative. It’s, March 6th, and we’re really excited to have everybody here today for this topic. The topic we’re gonna be talking about today and the topic we’re actually gonna be talking about at CRA and at the CyberRisk Collaborative throughout the month of March is incident response tabletops. And today’s, event is titled Tabletop to Reality: Building Cyber-Resilience Through Incident Response Drills. We wanna start off by thanking Semperis for sponsoring us, and sponsoring this event, and really excited to jump into our topic. But before we do that, as we like to do on all of these, I wanna share, you know, for any of you who this is your first experience with the Cyber Risk Collaborative, give you a little bit of a quick background on what we are, why we’re here, how this conversation kinda came about, and then we’ll certainly jump in. So the Cyber Risk Collaborative is our membership community for CISOs, their direct reports, and the organizations that they are part of, here at Cyber Risk Alliance. Right now, we have our in our general membership, we have about twenty one hundred members in our, very much our exclusive accelerator program. We have a hundred and thirty five in growing everyday organizations, and what we’re here to do is really help to accelerate career development, help most importantly with CISOs and their teams making better decisions and handling and dealing with the challenges of cybersecurity, easier, better, cheaper, faster. And that’s really why today’s topic is so important because we’re gonna talk about something that can be implemented very much practically, as soon as this conversation is over. We do a lot all of this, really through our network of members and through our community driven, model and ethos. So all of the topics that we bring to you, are topics that our community has asked for. They’re topics that our, community is grappling with, topics that they need help with. And we make our information and our community available 24/7 x 365. There you have the resources available to you and the community behind you. You know, again, it’s all about pure collaboration. It’s all about CISO developed and security team developed content. So the content that you will see that the Cyber Risk Collaborative puts out, all of it is really spearheaded and driven by our members. It is not analyst driven. It’s not, something that is that we say we think you should care about this. It’s you telling us these are the topics that are most important to us. And one of the kind of primary ways that we do this is through our resource toolkits. We have nineteen resource toolkits by the end of 2025. We’ll have twenty five of them, and these are curated groupings of not only resource documents, but tools and templates and items that will help you not just understand what you should do, but actually do the job of security. I could spend my whole time today and our whole time today talking just about the resource toolkits, but that’s not what we’re here for. I will, however, tell you on March 31st of this month, we’ll actually be having a dedicated, resource toolkit demo. Please check your weekly member update for more information about that, or reach out to myself or anyone here at the at the CyberRisk Collaborative, and we’ll be happy to get you the information about that, but these are all meant to help you save time and money. Without further ado, I wanna jump into to our topic today, and I wanna start off by introducing our panel. Really excited. We’ve got a powerhouse panel that, quite frankly, I’m probably the least qualified to be on. So we’ve got Matt Rosenquist, multi time CISO, and James Doggett, the CISO for Semperis. James, Matt, welcome. And, Jim, please, go ahead and introduce yourself and, share a little bit about yourself for those who, may be meeting you for the first time. Alright. Thank you so much. I really appreciate the opportunity to talk about a topic that I’m spending a huge amount of time on these days, which is in the resiliency, tabletops, instant response, crisis management, all areas, which, again, I think is very topical for today. My background, spent a huge part of my career at EY starting through audit, then moving over into the consulting and security realm. From there, I’ve been at CISO roles at AIG and Kaiser Permanente, and I’ve stayed also, I guess, at JPMorgan for a while. So that’s been doing this a long time, and, it’s fun to sort of keep up and see, what the latest, threats are and what we have to deal with. Thank you so much. And, Matt, please, share with our audience a little bit about yourself. Yeah. So I’ve been in crisis management, whether it be security, medical, natural disaster, and cybersecurity for, well, over thirty five years now. So I absolutely think it’s vital, to all of and everything that we do to be able to manage those, well, those bad things that can amplify over time if they’re not taken care of. And crisis is just one of those things that we have to get really good at. I’m sure we’ll discuss why that is and the benefits and relevance of that. So my background in cybersecurity, and again, it’s, well over thirty five years in the career of security. I’ve managed and built out, these types of capabilities and manage countless, countless types of events to bring companies and organizations, governments, and so forth back up on their feet and be able to be in a much better position with minimizing the overall impacts. And that’s really where we wanna kinda get to as we talk about all this stuff. Great. Thank you. And for the for all of you who are attending, if you’ve got questions, please either put them in the chat or in the Q&A function that you’ll see on your screen. Please, we love getting questions, and this is a really great topic, for you to ask those questions that you might have. Because if you’ve got the question, I’m sure that somebody else watching here has got the question as well. So as we start, you know, one of the things that we talked about in the in kind of the prep for this call was the fact that really the view of a tabletop exercise, what a tabletop exercise even more basically is, is really a simulation of what a cyber incident might look like when it actually happens. And, you know, I always kind of think of tabletop exercises very similar to fire drills at, you know, our kids’ schools. They every month you have a fire drill at the school in order for the kids to learn this is what you need to do when there’s a fire, when there’s an actual emergency. So that when that emergency occurs, everybody knows where to line up, where to go, how to get out, how to be safe, how to make sure that you’re operating the way you’re supposed to be operating, not just as a student, but as a faculty member, a teacher, an administrator, you know, a safety person in the school. And for me, it always seems like that’s the way we should be viewing tabletop exercises. However, we really don’t. We treat them as, well, I’ve gotta do this because it’s required by some guidance, some, you know, compliance guidance or it’s required by my cyber insurance or it’s just it’s something I gotta do. So what I’ll do, I’ll just get all my executives together. We’ll talk about the same stuff we talk about every day, and we’ll call it a day. So, you know, I really certainly in the first part wanna talk about, well, why do these actually matter? What do they give you? What are the things that they identify for you that a real incident might not be the optimal place for this to occur? So, Jim, starting with you, you know, we all talk about, you know, cybersecurity resiliency. We need to be resilient. We need to build a resilient cybersecurity strategy. Why is our tabletops such an important and yet overlooked element of building cyber resiliency. Yeah. And, again, I think the key word you put in there was resiliency. Historically speaking, most security folks, we focus really on detecting and preventing. That that was now comes ransomware and all kinds of events that could be, a crisis or an incident can occur now because, more so because of a security issue. And I think that, one, that’s why I think we have to be more involved than we are potentially have been in the past. But to answer why tabletops, it’s and I think you started to cover this, Dustin, already to a degree is that you don’t want to, in an emergency situation, when something’s going crazy and you can’t find all the people you want, you don’t know who to call, you haven’t figured out who has to make these decisions, you don’t know who’s in charge. I go on and on. If you haven’t practiced that several times, you’re probably, not gonna enjoy it when you’re under a crisis mode. And it’s just the same thing. I doubt any of you, if you gotta go in to get surgery, you don’t want a doctor to be the first time he’s ever done surgery. It’s the same concept here. You have to be not just prepared, but things when a crisis is happening, you are going to discover things that you weren’t aware of. All of a sudden. And I let me give maybe a a quick example of this I think might be good. I’ve been through an event where we had an outage, and we we the incident response cranked up. We actually, then went into crisis mode on this. But as we were going through it, we figured out how we had to get applications back up for certain areas because it was they were out. And then we we found out quickly is, oh, we can’t even log on to the network because Active Directory is out too. Someone destroyed it. So all of a sudden, we couldn’t do a thing. That’s what you learn in a tabletop that otherwise you probably don’t want to happen when the crisis has happened because you’ve just extended your, potentially, your downtime by multiples of days, hours, could even be weeks in that case. So for me, that’s, this is an area that we need to be highly attuned to as security professionals. Yeah. So, Matt, you know, as we talk about the unpredictability of incidents, obviously, you know, I’m gonna use a real world example that we all saw last year, but I don’t think anybody probably waking up, you know, first thing in the morning on a Friday expected that a massive that some vendor out there would have pushed an update out at one in the morning that brought the world to a halt and started to reveal that organizations that we never knew had this tool in place actually had it in place, which was a good thing, but certainly, from an incident response standpoint, started costing lots of money. We’ve also seen incidents where, you know, a major entertainment and hotel, and casino in Las Vegas has an incident that occurs, and they’re down for days at a time losing, you know, eight plus million dollars a day. Why is it so important to simulate and to practice what to do in an incident ahead of time? And does it really actually help because of the unpredictability of some of the incidents? Yeah. It’s a great question. And, you know, I’m I’ll start off by kinda building on what what Jim was saying. We really have two purposes when we talk about cyber risk management. First is to, avoid risk, and we do that by prediction and prevention and all these great things. And it’s really the highest why. But if we do our job really well and everything goes great, nothing bad happens. We don’t experience loss. So we’re preventing it. But on the back half, because sometimes all those defensive postures and all those efforts don’t always work, we know bad things are gonna happen. And that comes to the second role that we contribute to, which is to minimize losses or impacts when bad things do occur. And so when we talk about incident response, it’s the latter of those two. And if you do it poorly, the amount of impact can compound and it can crater an organization as well as everybody down the supply chain as well. Right? So we see those types of attacks and issues. So doing crisis management well reduces that impact. And what do we mean by impact? Right? We mean downtime. We mean loss of data, productivity of employees, contractors, users, uptime of factory or production. Right? Compliance to regulations, you know, adherence to the contracts that we have with our customers and partners, all of those things. Nobody likes impacts. But if you don’t manage the crisis well, it gets much larger, much faster. And during those times, we have some resources. Time is not one of them, and stress tends to go up. So being able to manage our stress isn’t necessarily one of them. It just gets worse and worse as time goes on. So everything we talk about crisis management is really about how do we reduce how do we maximize our resources to reduce that impact? So when a vendor, one of your vendors who supplies you software, pushes a bad update, and you start having a cascade effect of issues because critical systems are going down and they all interact with each other, you have to be able to respond quickly. Time isn’t on your side. You have to be able to understand what is the root cause and what can I do to help contain it or slow it down? And if it’s an attacker that’s coming to your environment, the same exact thing. You need to know what’s going on. How do I slow that attacker, that lateral movement? How do I reduce the damage that they can cause? And that’s just the first stage. Once we’re able to do that, right, stop the increasing pain. Now we have to get the business back up and running or those critical services back up and running. And it’s not like just turning a light switch back on. There are very complex dependencies that you have to think about, and all of this takes communication and collaboration across your organization, and chances are across your supply chain and potentially even with regulators and law enforcement, all of it has to work together. And if it works together on a perfect day, you can minimize greatly minimize the impacts. But if it doesn’t, if you’re slow, if, you know, you’re not communicating, you’re not collaborating, people are wondering, hey. What’s going on and causing more churn? That then gets expanded, and so does the overall impact. So at the end of the day, for crisis management, we wanna minimize it, right, as much as possible. That is our job. What you just added what you just said was really good. Jim, I’ll come back to you. And then, but yeah. Please. Oh, me? Okay. With that, I just wanna add on to it. It’s you’ve talked about the primary, I think, of the ability to minimize the downtime, and that it is incredibly important. But, also, crisis management, tabletop exercises also help you not get into more trouble. And, what I mean by that is who’s authorized to communicate out to the public if you’ve got a requirement to? Do because you the last thing you wanna do is communicate one thing quickly and then have to retract it and then say, oh, no. It’s actually worse than that. Those kind of things. So, do you have parts of this that need to be under legal holes so that you protect yourself? All these kind of questions, you want to practice upfront and make sure you’re ready for it. Because if not, you can exacerbate a issue that you’ve got just by not being aware of what you need to be doing. And that’s, again, practice makes perfect there. Yeah. I mean, the impacts are not just the factory being down. Right? It’s also the legal liability. It’s your reputational impacts. It’s, you know, contractual violations, regulation violations. There’s ethical concerns. When we’re talking impacts, impacts can be tangible and intangible. It is huge. So we have to understand all those aspects. And, again, crisis management is there to minimize those overall impacts. So it’s not just about getting DNS backup or your factory backup or some service that’s down or, you know, laptops decrypted. It’s about every aspect of your business, right, or your organization or your purpose or your value to society. You know, and there are so many different interwoven potential impacts. It’s not just a factory being down. So it’s a great point, Jacob. And so, you know, before before we kind of move on, I want there were a couple of things that I heard you both say that I wanted to to kind of focus in on, which is the first thing is, you know, Matt, you kind of said something and you were talking about the need to, you know, figure out and the dependencies and all of that. And I kind of always I always hearken back to, like, the scene from Apollo 13 of I’ve gotta turn on the system. I gotta turn on on the spaceship back on in the right order to not go over a certain number of amps. And what did you know, what for those of you who and I’ll issue spoiler alert, but at this point, if you haven’t seen Apollo 13, I think we’re past the point where spoiler alert has to be given. But, you know, one of the astronauts was actually down on the ground trying to figure out what’s the right order, testing it out and doing it real time. And obviously, that’s not when you want it to have happen, which is why tabletops are so important is it lets you figure out all of the weaknesses ahead of time, which I think we were talking about in the prep for this, which is, you know, it’s important to remember that you don’t want your tabletop to go off perfectly. You want there to be problems. You want there to be things that you discover. There should be, you know, weaknesses where you go, oh, wow. We didn’t even think about that. We didn’t plan for like, we don’t already have the answer to do we pay the ransom or not. We don’t know who it should be. And, oh, by the way, the process is we need to get the board involved. Well, calling the board together when there’s an incident is a problem. And and Jim, you also brought up is the importance of the communication, and I think this was something else that we focused on in the prep for this, which is you’ve also gotta be concerned about not only the communication externally, who’s gonna be able to talk out, who can do things, and, you know, I’ll use and not to shame them at all, but to use it as a real world case study. If you think if if we look back to, one of the Marriott breaches a couple years ago, they ended up having they came out and they said, we’ve got a hundred and fifty million people impacted. Then they said, no. It’s actually larger. No. It’s actually larger. And then they finally said, oh, no. Actually, it’s not anywhere even close to that. It was a lot smaller. And it the optics of that is, you know, certainly, is problematic, but you also need to worry about communications internally. What are your employees talking about? Because they’re getting things firsthand or, you know, through the rumor mill. And it you know, I think you made a point in our prep call, which is if the rumor mill’s going on internal to your organization, at some point, you have to assume that rumor mill is gonna move external and somebody’s gonna spill something to somebody, you know, family member, spouse, best friend, whatever, and now it’s out in the public and now you’ve got another, you know, a whole another issue. But so one of the things that we talked about when we were talking about kind of the tabletop was this idea that, you know, traditionally most organizations view tabletops. They go, well, we’ll get all of our executives in a room and we’ll talk through the executive level things. How important is it, Matt, for an organization to make sure that when they’re doing their tabletop exercises, they’re including not just or that they’re doing tabletops that don’t just focus on the executives, but also focus on that help desk person that’s coming in, you know, that’s getting the, hey. I need my MFA reset. You know, how important is it to have the the lowest levels involved as well as the highest levels? Well, you know, in crisis management, if you wanna be good at it, it’s an eighty twenty rule. Eighty percent is actually the preparation in understanding who needs to be involved and why for different types of scenarios and issues. The other twenty percent is operational. Right? It’s executional when something bad happens. So, you know, I landed and I was, Intel Corporation’s first incident commander. So I owned anytime the company was being attacked. And when an incident was called, I would meet with all of my chairs, and we had, various representatives who would own certain things. Communication, by the way, was one. It was one of the most important. But we had people from, you know, networking and from domain and from apps and the business lines and and production and, HR even and legal. Everybody had a certain role and responsibility. They knew what that was, and we all worked the issue. We knew there were different phases to the issue, and people would be doing different things during those phases. And so when we look at some of the requirements, and one of the chairs was, IT support. Right? Because that tends to be an interface with the primary group of employees and contractors and so forth. If they have a problem, they’re using that, and we’re using that, that group to be able to communicate out to the end employees. So, again, if you’re going to be gathering information, right, or you need to instruct them to do something, you’re gonna be using those functions, those, you know, employee support, technical support groups, employee internal communication groups to be able to get the message out or pull information in. And that’s just one piece. But that’s something that the incident commander, right, or whoever’s in charge of your crisis management, they’re going to be leveraging it in different ways based on the situation and in kinda what phase you are within that situation. And, again, every chair, every lead has a certain role and responsibility that is imperative. And if you know that and you have that person or persons, because you would always have person and a backup. Sometimes there’s vacation. Sometimes people are unavailable or whatnot. That’s great. Right? You need to be able to have contingencies. Eighty percent of that preparation. Right? And if you see the big picture, you know the value of those roles, and then you can move on to help build a much more cohesive process that is repeatable and that can be improved every time because you’re gonna learn something from every single incident. So you wanna get better over time. You need to have those processes for comprehensiveness and consistency. So it’s important to have the right people in play. Absolutely. So, Jim, you know, one of the things that I know you mentioned was the importance of the communication aspect of things. And, you know, I think David Wallace put it in the chat some really important things. But the way I would pose the question is how does an incident response tabletop, how does doing that, what are the ways that organizations can use those exercises to help craft what their story is gonna be when said incident occurs? And it may be, you know, a, hey, we’ve got a general kind of boiler plate and we’ll insert some words here and there and maybe, you know, hopefully not mad lib it too much where the words don’t make sense. But, you know, certainly we wanna make sure that we’re controlling the narrative versus letting the incident or external forces control the narrative. But how can practically, can organizations use the tabletop as a means to discover that, messaging? Okay. First of all, I would say that, upfront, you probably do want to have canned, if you will, at least, responses that you’ve talked through before. Again, just because I think it that tends to help. But I think that, again, when you think of communication, who should you have to look at the who of that, who should be communicating, and to whom it has to be communicated to. And this gets fairly complex fairly quickly. And a tabletop, I think, has the ability to sort of very quickly bring out that, oh, we’re in the midst of this. Oh, we need to reach out to this person in this organization, and how do we reach them? Do we even have a phone number? Because we can’t look up that phone number today because our network is down. So that’s where tabletops to me come in that it takes those contingencies in into account, if you will. And, again, I can get if you’ve been through these crisis managements or incidents and like this, they always come up like this. You can’t anticipate everyone that you want you’re gonna need help from. And what happens if that person’s not available? I mean, we very purposely, at most of our tabletops, we I don’t know the right word to use here, but we make people unavailable. They have a they have some input on their own, and they can’t be there. So who does it go to next? Those are the kind of things that, you purposely you purposely sequester certain people away and say, hey. This person’s on vacation. Now what do you do? I think, you know, one of the points you made, Jim, that’s really important and and was one that for me was a really eye opening thing when I, I think, was involved in one of my first tabletops was you wanna also use the tabletop and that preparation period to build good relationships with your local representatives for both state, local, federal law enforcement. The last thing you wanna be doing is in the midst of an instant, calling your local FBI special agent for the first time, having never spoken to them before. You know, you wanna have that relationship ahead of time. I was very fortunate. I did one I did a tabletop one time for for an organization, and they were based here in Houston, and I happened to, you know, have already built really good relationships with the local FBI. So what I did was I didn’t use any, you know, emergency number. I used one of their standard numbers, and I’m like, hey, Brian. I’m calling you just right now because we’re in the midst of doing a tabletop exercise, and I wanted to show that the organization my organization that this is what the step I would have taken. So hope you’re doing well. You know? Hope your kids are well, kinda, you know, like, let’s use this. Yeah. And one of you can be creative. I think Chris Wyndham put in a really nice one. My people are skiing in Europe, and there’s no cell service. These are the ones I take out, you know? You can make up fun little stories for the purpose of I mean, you obviously wanna make sure they’re realistic, but skiing in Europe, their kid gets sick. You know? They get sick. You know? Certainly certainly things you wanna do. Jim, I know you wanted to add something. I’m good. I’m good. You covered it. Yeah. Well, I do wanna add something here. Right? Absolutely. Exercises. One of the beautiful things, and Jim’s touched on this, is it reveals your assumptions that may not hold true. And, you know, Jim had mentioned, hey, you know, we need to contact people, but the system’s down and I can’t pull up their phone number. Right? The global directory is down. And I actually work with a client that had that exact problem. They assumed that the global directory would would be available. And so you could look up people’s phone numbers or home phone numbers or cell numbers, or be able to communicate with them, in a secondary email or something like that. And yet it was down. Right? And they hadn’t thought about it. And we always joke in the crisis management community, there should be a binder or set of binders that are collecting dust. And when a crisis happens, you wanna be able to pull it out. You wanna be able to have all those contact information. You wanna be able to have all your processes. You wanna be able to know what play cards that each of your chairs can handle without further, authorization. Right? All those kinds of things. And, you know, we say there’s dust on it because hopefully you don’t have to use it very often. But in reality, you also have to have people behind it to make sure it stays updated. Because if it’s three years old, right, and all the names are wrong and all the processes, you can actually create more chaos. So, you know, everything that we do in, especially on the tabletop, it really tests those assumptions. And it should. If you’re gonna assume the incident commander’s gonna be available, they may not. If you’re gonna assume that your legal rep will be there, they may not. How are you gonna adapt to that? Right? So it’s great at bringing the brutal truth of having systems and people and processes potentially unavailable, to the forefront and really test those. And certainly after, you know, one of the incidents we’ve alluded to on this call a couple times occurs, You know, you wanna and and to Brian Richardson’s point in the chat, if you know, most organizations are dependent on some amount, if not a large amount of third parties. The last thing you wanna have happen is an incident occurs and you realize your customer four hundred ninety nine thousand nine hundred ninety nine in the list of priority because either you’re too small for them to care and there’s, you know, four hundred other companies, including, you know, a major airline that are, you know, down and losing money, you know, by the millions, or, hey. You know, if we had just paid this extra cost, got this extra level of service, we’d be able to call them up. The last thing you wanna do is find that out when the incident occurs, and you go, okay. Well, now we’re gonna be down for a couple days because we gotta wait our turn in line. And the other thing the last thing the other thing you wanna, you know, avoid especially with your third parties is many times our only contact to the third party is a sales rep. When an incident occurs, your sales rep does not care, does not isn’t gonna pick up the phone because you’re not actually buying anything from them at that point. And now you’ve gotta go, hey. Can you connect me with the person who’s actually gonna help me save my, you know, my organization? And, again, to your point, time is money and time is, you know, the fixing the incident or it getting, you know, orders of magnitude worse. And, you know, I’ll kind of just tangentially say, you know, the whole thing that for me always stands out and it’s something I’ve done a lot of research on and I’ve actually got a research paper coming out in about two weeks on is, the the fact that we as humans don’t do a very good job it’s just in our chem our brain chemistry. We don’t do well with large amounts of data coming in at very high speeds, in a very short amount of time. Like, so in an incident, you’re literally got thousands of alerts, thousands of data points coming in at once, and you’ve got to respond to them, and you’ve got a very compressed timeline, it can be a recipe for disaster. So having that practice, doing those things. So, Jim, one of the things that obviously in our community here at the Cyber Risk Collaborative, we talk a lot about is the importance of having metrics because when you need to communicate to your executives, when you need to communicate to others, metrics are out there. And, you know, with metrics, obviously, we have the traditional ones, mean time to recover, mean time to detect, all of those things. When you’re looking at your incident your incident response tabletop, and one of the things that I think, again, I’m gonna I’m gonna kinda double click on is this idea that you don’t want your incident response tabletop to go off without a hitch. Like if you’re if everything goes perfectly right, you have not found something that you should have found. You’re like, there’s there’s something you missed in the exercise you were doing. How do you create, how do you establish the right metrics so that you can show that it was successful even though there were things that went wrong? Because we don’t traditionally like to do tests that we don’t get a hundred percent on. So how do you say, hey. You know what? We got a fifty percent on this and that’s okay. Yeah. I typically don’t measure the when you look at the success of a tabletop, it’s like you said earlier, you want there to be problems in it. So quite frankly, if it wins perfectly, you’ve lost already. To me, I look at the metrics, different kind of metrics when it comes to tabletops is for whatever the scenario you have, do you know what priority you put to which applications or which solutions? Do you know how quickly you need to be back up? What is your what are your requirements to come up, and did you make would you be able to make those based upon this tabletop exercise? Now this is all and, again, I’m talking about a what I would call a real tabletop exercise, not a compliance one. Because compliance the problem with that, you could check the box and be done within ten minutes, and it in no way proves that you’re ready for a crisis. You have to take these seriously. And I know it’s so easy to get caught up that we have to do it to fulfill our responsibility to insurance or our customer or whoever it may be, but long term, you’re not doing yourselves any favor by not making this real. So to me, the metrics that I would place around is, were you successful at meeting the time frames of recovery that you really think you needed to do? And, again, since you’re not actually doing that, in most cases, it there’s assumptions that have to be made. So to me, that’s the way I look at it. Others look I know look at the metrics of, you know, how how well it went how many mistakes they made in that. I don’t go that route. So, Jim, based on some of the conversation that’s happening in the chat, I wanna bring you back to a conversation we had, I think, the last time you and I did one of these at the end of last year. You know, one of the biggest things is that, you know, and Brian Richardson says, you know, no matter how level headed and calm team members are, things get amped up during a real incident. I remember you saying that, you know, and we talked about this, which was what do you do or, like, when you’re trying to identify the incident commander, and and, Matt, I’d be interested in your perspective as well. Oftentimes, we think that the incident commander should be the you know, somebody who’s got the most technical chops, knows where everything is, knows how to run things because they need to be able to manage the thing. And I think, Jim, you mentioned is that the person who you guys have as your incident commander is, like, totally not part of this, you know, directly part of the security team. They are somebody who can be truly be that level headed, like, guys, I understand this is crazy, but just calm down. Yeah. It so To me, it’s How important is it or how important is it to think outside the box about who your incident commander should be? Yeah. It’s a couple factors here. The skill sets, I think, are needed to be an incident commander, one is that calm factor. You don’t you don’t panic, because panic will be a bad thing. The second part, which is almost the most important, is you’ve got to be able to juggle a lot of balls at the same time, keep them all organized. So to me, this is the ultimate project management skill, to me, is one of the most critical. We can attach technical resources to that incident commander to take care of the others, but the real key is you don’t want, you know, you don’t want to do step B before A. You don’t want to forget to do step C. You don’t and you go keep going that route. So it’s really someone who’s the ultimate, in my mind, project manager. Matt, I saw you shaking your head, so I know you’ve got some opinions on this, please. I like it. Oh, okay. So let me start by first saying, you know, in cybersecurity, we manage it either through leadership or crisis, and that holds true for our day to day stuff. It also holds true during an incident. And when it comes to managing an incident, you need leadership. And the leader is very, very important, but so were the technical people and the subject matter experts and everybody else, but the leader of an incident needs to have certain skills. One is leadership skill because everybody is stressed out. This is something that isn’t necessarily done every day. It’s, can be chaotic. It’s very ambiguous, especially in the beginning. Right? A lot of unknowns. So they need to be able to lead, which means they need to be able to communicate. They need to be able to set expectations. They need to be able to draw in collaboration. They have to get people to work together. Sometimes when they’re already distracted, they’re so worried about, hey, I need to fix my department or my issue that they don’t realize, no. You’re critical to fixing everybody’s issue. Right? We need to set the minor things down that may be burning on your particular foot so that we can save the entire body. But leadership, it does require a certain amount of, stability, emotional and mental because everyone’s gonna look towards you in a very stressful moment. So you need those leadership skills, and part of that is also you need to be willing and able to make decisions. Time is not on our side. We don’t wanna make bad decisions, but an inability to make a decision in many times can just be it can be as bad or even worse than making a questionable decision and adapting from there. So there takes a lot of skills and experience and mental certitude to be able to be a good leader and keep everybody focused, everybody on schedule, on task, get them to work together, and feel as if everybody is contributing, and everybody’s moving together as a team. If you don’t have that, you’ll get fractures. You’ll get spinouts. You’ll get people doing their own thing or not listening or not being part of a more important solution. So leadership is crucial. You can have the best IR team and a poor leader, it’ll fail. And you can have a really poor IR team and yet an outstanding incident commander, and you will find success. So leadership is usually important here. And it’s interesting that David Wallace put in the chat. He said, you know, the two words he uses for every one of the incidents are dynamic and improvisational. And it’s really interesting that he used that second word because it pinged off in my mind a reminder that probably one of the best incident commanders I ever worked with on an incident actually was a theater major in undergrad because they had learned how to do improv like, those literally, those improv exercises were a were a savior for us because they knew how to respond quickly, how to adjust their approach, and how to project an emotion regardless of whether they truly felt it or not. Because, you know, certainly, more often than not, we see that the CISO or, you know, the deputy CISO is acting as the incident commander, which means, you know, there is some element of them going into this knowing that their job is in you know, could be on the line for this. So, you know, they’ve got a they they’ve got a a a legitimate amount of fear and anxiety over it, but they’ve gotta project a sense of calm and normalcy. So, really great points. Please keep them coming. Please submit any questions you’ve got as we as we get ready to start to transition over to that. Before we get into the Q&A section, though, what is Jim, I’ll start with you and then Matt come to you, but what is probably the most overlooked or most, missed opportunity that organizations have in the immediate aftermath of completing a tabletop? Where do they do where do they fail to do something that they should otherwise have done or that should be like, this is the very next thing I should do after I finish my tabletop? Sure. That’s, to me, it’s this is fairly direct, is, again, during a tabletop, you typically want someone to be scribing everything that’s be happening. Who talked when, what in again, either through an automated tool or just do it the old fashioned way. Because during I mean, the whole purpose of a tabletop is to get better at responding the next time it or the time it actually happens for real. So to me, this is trying to find the nuggets that you learn where you made mistakes so that you can plan or you we need to realize we need to take a new project on to make sure we have this covered the next time. Or we need to make sure that, oh, this person really needed to be integral, a part of this, and they weren’t available because we had never thought about even talking to them. And it’s things like that that, to me, make that is actually the most important. So it’s the it’s that post review of the incident. And, again, it may not have to take the entire team to do it, but you certainly need a good group of people. And then from there, you have literal assigned tasks that people have to go out, and we are gonna do it so that the next time you hope that those same issues don’t pop up again, and hopefully new ones do. Does that sort of answer what you’re asking? No. That’s spot on. And, actually, Chris Windham put a comment in and then Matt will come to you, which was a really interesting one and and one that I think a lot of organizations overlook is you you may wanna have multiple people doing the documentation and documenting events because people hear different things, people see different things. It’s, you know, the old eyewitness testimony. You ask four eyewitnesses about the exact same event, you get five different stories. So having having those, you know, multiple people keeping track of, oh, this is what happened. This is what we discovered. This is what we did. You you could piece it all together and create almost a 3-D image of what actually occurred in a perfect you know, as close to a perfect timeline because you go, oh, well, this person got this. This person realized that this is what happened. You may be in different rooms. You may be in different areas. So you may not know what’s going on in another room that you need to document. So, Matt, you know, from your perspective, what are the things that organizations maybe miss in the follow-up to an, tabletop that they should be thinking about? Well, I would say there’s five things, actually. And we kinda touched on on some of them. First off, you know, that scribe function, which is a required person by the way, for any incidents. And during a tabletop, the scribes have to get better too, right? They’re learning as well. So you have to improve their skill set because it is an art form to be able to to scribe properly and understand who’s saying what, what decisions are being made, so on and so forth. So, the tabletop, five things. Number one, the key learnings have to be documented. They have to be very clear and documented and communicated out. Right? So that’s number one. Number two, there should have been mistakes or opportunities for improvement and all of those need to be brought together so you can improve your processes. Again, processes are there for consistency and comprehensiveness, which means they need to be documented. They need to be learned. They need to be passed on and taught to the next generation of people coming in. So there should be some type of documentation around processes. So those have to get updated because you’ve learned things, apply it, right? The third thing is to enable empowerment. And this is very important for average or top tier kind of incident response, little less so for kind of the basic ones. But for organizations that wanna be average or good, there have to be a lot of decisions and a lot of actions, and people are often hesitant in a crisis. They don’t wanna make things worse, so they may not act. Or you’ve get the opposite that people just wanna act and they’re acting on fear and doing things that sometimes you have to go clean up or it’s the wrong things and you set us back. Right? But you do wanna actually enable empowerment for good decisions. In coming out of a tabletop, one of my favorite things is for an organization to be able to say, hey, for the communications group or hey, for the engineering group or hey, for the, you know, IT support group. We could do x, y, and z ahead of time. Right? Yes. Document that. Right? Start making things move faster because one of the critical metrics out of any incidents is how long did it take from crash and burn to back up on our feet. We wanna be able to condense that down. And as you, enable empowerment, you help speed things through in a productive way. So that would be number three. Number four, document the business value. You just expended time, energy, effort, and resources. You just impacted people’s normal working day to be part of this, activity. You need to document what that value was. Right? And that needs to go higher. It needs to go up to the powers that be to understand this is why we do it, and this is what we gained out of this particular one. And that leads into my last thing, set your goals. And the goal may be we’re gonna do this again in six months. Or the goal may be we’re gonna create a metric on how well we make decisions or how fast we can gather everybody together or, you know, what the cadence is of the meetings at the different tiers to feed things up. Whatever it is, start improving on your goals, and that goal’s tied to value. And the value is what you’re gonna be communicating to the entire organization, especially those people who are funding this. Right? So it should be going upwards. Those would be my five things. That’s great. So we’re coming up on the end, and there is a question that came in that I definitely want want to get both of your insights on. So for organizations who honestly who may be doing a tabletop or maybe looking at doing tabletops for the first time or who have done them for a long time but are looking to try to improve them, what are some of the things that they should be doing or can be doing or what resources are out there to help them better plan those tabletop exercises if it’s their first, even if it’s their thirtieth? What are those kinda tangible things they can do? Matt, start with you, and then Jim will come to you. Cool. Yeah. I would say there’s a there’s a couple of things. First off, there’s lots of different documentation out there for different types of tabletop exercises for different industries, for different organizations, for different types of incidents. I’ll tell you that, you know, loss of intellectual property is completely different than a factory going down. Right? Or a threat against your executives, you know, or a compromise of their email or something like that is much different than a denial of service on a web page or an interface. Right? So there are lots of documentation out there that you can use. You don’t have to recreate the wheel. That’s number one. And number two, there’s a lot of knowledgeable people out there that have experience in this. Tap them. Get their insights. If they’ve been on this journey a thousand times, and I can’t tell you how many different incidents I’ve been involved in, hundreds. Right? Leverage their insights, their resources, not only before you do the exercise, but also after because they’ll see it through a different lens, potentially deeper, maybe broader. And they can provide some of those insights, again, for value, lesson learns, future goals, things of that sort that will help you as part of that exercise as well as preparing for the next one or a real incident. So what I hear you saying, Matt, is that, you know, organizations and communities like the Cyber Risk Collaborative can be really beneficial in helping to get those resources, those tools, have those conversations. And that’s, you know, one of the reasons why we come together today, why we have the Cyber Risk Collaborative here at CyberRisk Alliance. Yeah. And I would say beneficial is is kind of weak in insane. It’s you know, when you get to a certain level, it becomes essential. Right? There’s only so many things you can learn from, you know, a written document or something like that. Bringing in experts, you know, peers that have the scars, that’s experience. That’s crucial. Absolutely. Jim, your kind of final thoughts, and then, you know, as part of that, can you Yep. Share a little bit about, Semperis and where people can find out more about the organization? Okay. Couple things. Two points on, I guess, upfront on getting help and how do you prepare for this. And, again, I very much, if you can afford the money and if you don’t have a friend nearby who’ll do it for free, even hiring someone to help the first time you go through this, who’s done it a thousand times, it is valuable. And, historically speaking, first time I go to a company, I’ve done that. And then from that point on, we take it over, but it it does a good job educating, and, also, you get the independent kind of view. The second comment I would make on that is preparation and planning for a tabletop, it’s not a trivial exercise. It should take longer than the actual tabletop by a long shot. If you don’t prepare correctly with the right injects, the right theories, what it you know, you’ll get through it quickly, but you won’t learn as much. So two those are the two comments I would make from perspective of how do you get help and how do you get through these in the best way possible. On the second point about Semperis, again, the best way to describe, and I’ll do this very quickly because and if you want more information, happy to help you out, but we’re all about identity, your identity system protection. So your Active Directory, your Entra, your Okta, those particular sources that typically, house your, identities, which, quite frankly, identity may be the most critical part of security, at least in a lot of people’s minds today, because you can’t there is no perimeter at this point anymore. But, anyway, we have tools and processes and consulting support that help you harden your system upfront, unidentify the weaknesses in your Active Directory. We have continuous monitoring, the ability to undo anything that happens within Active Directory with a click of a button. So if you fat finger or if someone does something, it’s very quick to sort of back up and recover, which is a big benefit, at least in my past life anyway. And then the last is should the horrible happen and you get a destruction of your, Active Directory or Entra, we have the ability to not only back up but automate the entire recovery process. So those are the primary tools. And one that I want to just quickly mention on top of that, which is a new product about to come off in the, it’s called ReadyOne, and it’s basically taking incident response, crisis management, business continuity, and providing a tool that allows you to accumulate and maintain all of that information in a SaaS environment, which it will be operable even if your entire network is down. Still have to maintain everything, but it adds tremendously in the ability to interact and then and do quickly, which that is in QA, and it’s going out right now, but it’ll it RSA, actually, it’s gonna roll out. So I’m sort of excited about that. So. Absolutely. Well, thank you so much. And for anyone who’s who’s wondering, yes. This, session was being recorded. It will be available again on the SC World dot com website, same link that you used to register it. And, you know, Matt, great question. I don’t know the answer. Is the answer to the what is the speed limit of a Europeans an unladen European swallow? Yeah. Not sure. But, thank you both for being here. Thank you all for attending. Thank you for, you know, really keeping the chat going throughout. This is a really great topic, one we’re gonna be talking about for the next, you know, at least the next thirty days and well beyond that. Thank you all for being here. Thank you, Semperis, for sponsoring this. Stay tuned. Check out SC World. Check out cyber risk collaborative dot com. Check out our LinkedIn. We’re gonna we’ve got a lot of events coming up next week. Our next event next week, we’re gonna have, career CISOs, Nicole Ford and, Barbie Monahan joining us to talk about cybersecurity, cybersecurity culture and how to build a diverse culture at your organization. Check that out. Check out your weekly member email. We’ve got a lot of events coming up. Anyone who in the next couple of weeks will be traveling because it’s spring break around the United States. Please be safe. Please, enjoy yourself, and we will see everybody again real soon. Thank you all for being here.
