Incident Response Planning with a vCISO

by | Oct 16, 2024 | Blogs

Incident response planning with a virtual CISO. How can a virtual CISO help you with incident response planning? And today I’m going to cover two specific components and I’m going to pivot on that and show you two different ways to conduct one of those. So just to clarify, a virtual CISO can help you with incident response planning, number one, by helping you prepare what we call an incident response plan.

Whether or not the company has an incident response policy, what’s more important than a policy, is a plan.  With the exception of if you have to adhere to regulatory compliance, you might need to have an incident response policy. Maybe you get fined, maybe you have some liability if you don’t have one. With that exception, policies don’t do a lot.

The plan is what’s important. And a good cyber security incident response plan will remind you of how to approach a cyber security incident. A plan is basically a framework to follow.

And the reason it’s important is that when you experience a cyber security incident, and I’ve done cyber security incident handling for years, just a little backstory, the longest I was doing one, I sat at a desk for over 24 hours in a server room. And I don’t know how cold it was in there, but it took me a long time to get my bones warmed back up. And that was a disaster.

I’ve been there, I’ve done it. And I’m telling you that when one happens, it really separates, I don’t want to use terms that are discriminative, the old term separates the men from the boys, maybe that’s appropriate, basically separates the mature from the immature. Let me say that when you have a cyber security incident, you’re going to know who the mature people are, because they stay calm, and they stick around.

But even those people, it’s really good to have a plan, because a plan is something that you stay calm, and you open up, and you’re refreshed on how to approach an incident. Because there are particular steps to take when you’re conducting or responding to a cyber security incident. Okay, we don’t want to overlook any of them.

And a lot of times we’re going to be we jump to getting that user recovered or backup, when that’s one of the last steps in incident response. Okay, the first step is containment. So how do we contain it, we don’t need to understand everything about it, we don’t need to understand where the attack is, we might not need to understand where the attack is coming from, or what type of attack it is to contain it.

That’s where we need to start. So an incident response plan, a virtual CISO can help you develop an incident response plan, will help align the steps to conduct during an incident. And it will bring everyone into a consistent way of handling it.

So that’s the number one way a virtual CISO can help – incident response planning.

The second thing a virtual CISO can do is help you conduct tabletop exercises. This is a great free resource.

This is from CIS, an amazing organization, Center for Internet Security, I’m always going out and using their resources. I can’t say enough good stuff about them. This is free, this is online, it’s titled six scenarios to help prepare your cybersecurity team.

https://www.cisecurity.org/insights/white-papers/six-tabletop-exercises-prepare-cybersecurity-team

In this document they have prepared six different scenarios. A virtual CISO can help you with this, or you can try to conduct this on your own. But they lay out different events that are scenarios that we’re going to pretend happen within your business environment.

And we’re going to talk about how people are responding to them.

  • What do we need to do?
  • Where do we go to find the log files?
  • Are we even recording log files?
  • Who within our team would we need to call to ask for help as a part of our response team?
  • Do we have anyone contracted to basically come in and assist us with this event?
  • What is our role and responsibility with liability insurance?
  • At what point do we need to escalate and make sure our management and our management notifies our executives?

There’s a lot of good things that happen during a tabletop incident response exercise. They’re going to be very conductive to the success and the maturity of your cybersecurity program.

A virtual CISO can help. Ideally, virtual CISO has been through cybersecurity incidents before. They bring with them experience.

I don’t know, for me, I’ve had a lot of failures. I bring those failures with. Things like, “I don’t want to do this again. I know that didn’t work. I know I dropped the ball here.”

Bring those failures forward and help them improve. Let’s use those for good, as one of my mentors says, never waste a good catastrophe, right? So, this is the one that I wanted to pivot on, how virtual CISO can help you with your incident response.

At a high level, we can help build a policy or a plan. A plan is more important than a policy, unless you’re under regulatory requirements, you need a policy. Okay, but the plan.

And then number two, conduct tabletop incidents. We’ll pivot on this one a little bit because there’s really two different types of tabletop incidents or exercises that I’ve seen kind of grow out over the last couple years. When we started, you know, we as cybersecurity professionals, we’re still part of technology.

These incident response tabletops were really conducted within that technology group. That’s where these things were born. And that’s a really good place, still as of today, to start an exercise because you’re going to need technical resources.

These questions are going to set the foundation for how we respond to an incident. But since then, in the last couple years, we’ve also matured and we want to conduct what we call C-level incident response exercises. And these are business level executives and stakeholders and it helps get them in a room and talk about some of the risks, some of the incidents that could happen and how they want to handle it.

What different people’s roles and responsibilities during an incident are. So the questions and the scenarios are very different. Let’s just say what I’m doing is I’m looking over at one of my C-level incident response tabletop exercises and one of them is a partner, think of a business partner, receives branded phishing email.

A partner of your company emails you telling you that they’ve been hacked and they explain they recently received an invoice from you and it turns out the money went to a different account. I’ve been here and what happens is they’ll point the finger at you and they’ll tell you that you’ve been hacked and it’s your fault that they paid some bogus invoice. This is not a technology problem.

Technology will be involved in the C-level incident response exercises but it really does need to be a business stakeholder conversation.

  • Who at the company will take the time to understand what happened, make a summary, and who is it that’s going to communicate with this partner, be a liaison to them?

Let’s pivot to a different scenario, let’s say that privacy records were stolen from your company.

  • Who at your business has the responsibility to notify that privacy regulatory organization and report that?
  • At what point do we notify the people that had their privacy data stolen?
  • What types of things are we going to offer them?
  • How do we set up a hotline? How do we set up an email account?
  • How do we track our remediation efforts?
  • How are we going to track costs?
  • At what point should we escalate to outside legal counsel?

Those are good questions for the legal team.

Sometimes they want to handle them themselves. Oftentimes they’re very stretched the way they are and during an incident they really want to leverage outside counsel to come in and help with those types of things. So just to recap, number one, build an incident response plan.

Number two, conduct incident response exercises. Do them at a technical level and also do them at a C-level exercise. I hope that helps on how an incident response planning with your virtual CISO can help.

 

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!