With great technology comes great responsibility -- and new risk. Virtually every company will experience a successful cyberattack. What cybersecurity framework "must haves" should your company ponder to achieve cyber resilience? Let's dig in.
Cyber: the good, the bad, and the ugly
Today, all organizations depend on technology, the digital engine driving their day-to-day operations. In addition to IT systems, technology underlies organizations’ various support systems: security, elevators, fire detection, even risk and crisis management. So much is software- and network-driven. Technology, a great enabler, also exposes organizations to additional, often unexpected, risks.
No matter the size or type of organization, cybersecurity threats are mounting. They come in multiple forms, including identity theft, malware, ransomware, cyber espionage, and IP theft. Cybercrime costs nearly $600 billion globally per year according to recent McAfee estimates.
The 2017 Equifax hack (in which sensitive information concerning 143 million Americans, was stolen) had great visibility, but an iceberg metaphor is appropriate: Equifax was just the tip of the cyber-threat iceberg.
Identity-theft cyberattacks alone in 2018 affected more than 1.7 billion people – each one a customer of a hacked organization that suddenly found itself in a crisis. And of course, identity theft is only one variety of cybercrime.
What if there were a comparable cyberattack on your organization? What if your customers’ credit card information were stolen? The breach could harm all your customers (millions, for larger organizations), endangering your organization’s reputation and its finances.
What may begin as a departmental cybersecurity problem can quickly mushroom into a company-wide crisis affecting share price, customer relations, government relations, vendor relations, and even the viability of your organization to continue conducting business.
Considering the enormous damage to a company’s reputation and finances that cyberattacks can unleash; strengthening your cybersecurity framework and getting it to work as part of the organization’s overarching crisis management system becomes a pressing necessity.
Five “Must Haves” for a More Resilient Cybersecurity Framework
Below are five “must haves” that will help you achieve cyber resilience for your organization, and consequently enhance your organization’s overall crisis preparedness:
1. You MUST HAVE Cybersecurity Program Standards in Place
The first “must have” is standards, including cybersecurity best practices. These are promulgated by and readily available from the National Institute of Science and Technology (NIST), the International Organization for Standardization (ISO)The Open Web Application Security Project (OWASP). Many IT teams are already familiar with these cybersecurity best practices, since some 64 percent of organizations have adopted at least some of the NIST standards.
Adopting all the standards is costly, so many organizations will need to pick and choose which standards they can reasonably adopt. But there is one fundamental standard that goes to the heart of a cybersecurity framework, which every organization can and should adopt: Cybersecurity must reside within a broader context of an enterprise-wide crisis management system.
NIST’s Framework for Improving Critical Infrastructure Cybersecurity emphasizes this point in its list of attributes that characterize the most mature state of cybersecurity:
- Cybersecurity risk management is part of the organizational culture.
- The relationship between cybersecurity risk and organizational objectives is clearly understood and considered when making decisions.
- Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risk
- Business units implement executive vision and analyze system-level risks in the context of the organizational risk tolerances.
The importance of integrating the departmental cybersecurity team with the organization’s overall crisis management system should be obvious: When a cyber breach steals your customers’ credit card information, you’ve got far more than a cyberbreach problem. The survival of the entire enterprise is at stake.
You can learn more about the NIST framework from this NIST video:
2. You MUST HAVE Integration of the Cybersecurity Framework with the Organization's Crisis Management System
The NIST model of full cybersecurity maturity makes clear the importance of making cybersecurity a crucial element of the overarching organizational system. Actually achieving that goal requires commitment – both from the senior management making up the crisis response team and from the IT/cybersecurity department.
They begin by integrating their technologies. Digitized cybersecurity-related plans need to be integrated into the crisis management platform being used by the organizational response team to manage a crisis.
The best mobile apps are designed to interact easily with various types of technology infrastructures, including departmental cybersecurity response plans, databases, etc. Integrating cybersecurity departmental risk management and response plans into the wider organizational crisis plans and its technology-driven crisis management processes formally makes cybersecurity part of the enterprise-wide crisis management system.
In the scenario of a cyberattack stealing your customers’ credit card information, the departmental cyber response plan would be executed in concert with the bigger-picture, organizational crisis plans.
Cybersecurity activities would be closely coordinated with the senior management making up the crisis team at the center of the organization’s crisis management system. The IT department would need to equip crisis team members fully in order to address the myriad operational and stakeholder communications challenges successfully that stem from the cyberattack, which is now afflicting the entire organization.
To work effectively together, the organizational crisis management system would need to have a constant flow of information both to and from the IT/cybersecurity team. Their collaboration is crucial, and admittedly burdensome, because while informing the big picture, the cybersecurity people are actively engaged in trying to understand how the breach occurred and figuring out how to remedy the situation.
But their efforts are well worth it, because collaboration of the cybersecurity team with the organizational crisis management team will enable team members to develop more powerful crisis management strategies, messages, and tactics.
They’ll engender a customer relations strategy, an initial holding statement for the media, a strategy for dealing with an angry social media onslaught against the organization, a letter to shareholders, and so on – all informed by the IT/cybersecurity team.
3. You MUST HAVE an IT/Cybersecurity Expert on the Overall Crisis Team
In the case of a cyberattack, the organization’s top IT/cybersecurity expert would obviously be the go-to subject matter expert, but would also be playing a key role in just about any other kind of crisis. Even when a crisis appears to be unrelated to cybersecurity, IT professionals will be involved. In nearly any crisis, there is a technology component, and so an IT/cybersecurity person should be on the overall crisis team.
At the very least, the IT people will probably be asked to set up or beef up monitoring of news media coverage and social media. News coverage and social media directly affect crisis management actions, while simultaneously serving as indicators of crisis management progress.
All too often, IT professionals are disconnected from the organization’s senior leadership and crisis management system. Facebook is a prime example of how that disconnect can create challenges. As the New York Times wrote in its exhaustive coverage of the handling of the Facebook cyberbreach:
It was September 2017, more than a year after Facebook engineers discovered (emphasis added) suspicious Russia-linked activity on its site, an early warning of the Kremlin campaign to disrupt the 2016 American election. Congressional and federal investigators were closing in on evidence that would implicate the company.
At some point in a cybersecurity crisis, the organization’s crisis team may decide it’s necessary for the IT/cybersecurity expert to speak directly to the media about the breach. No one should ever be assigned such a weighty task without first undergoing training and rehearsal to ensure that the organization’s messages about the crisis are strategically sound and well-delivered. Any misstep in front of the media could exacerbate an already difficult situation.
4. You MUST HAVE Regular Evaluations in the Form of Exercises to Validate That Your CyberSecurity Program Works With Organizational Crisis Plans
The crisis plan and response team are at the core of the organization’s crisis management system. A third component of that core is the commitment to continuous evaluation and improvement. An organization can only be at peak readiness if it’s regularly evaluating and improving its plans and the performance of its crisis team.
The most effective way to evaluate and improve cybersecurity response plans, to assess how well they mesh with the bigger picture of organizational crisis management, is to conduct a simulated cybersecurity crisis exercise in which the organization as a whole is impacted by the scenario.
The exercise will test not only the cybersecurity plan, but will also test that it closely integrates with the overall crisis plan and properly leverages the response team and its crisis management technology.
Exercises can range from the simple to the elaborate – from an orientation seminar to a “tabletop” exercise all the way up to a full-scale exercise that could include outside agencies, such as law enforcement. Whichever type is chosen, exercises are the only way, outside of an actual crisis, to test and improve a cybersecurity framework and how well it meshes with the overarching crisis plans and responses of the organization.
The following slideshow from PreparedEx shares more detail around creating a tabletop exercise:
5. You MUST HAVE Integration of the Cybersecurity Team with the Organizational Crisis Management Team's Technology Platform
At the core of the organization’s Crisis Management System are three components: a crisis plan, the response team, and their evaluations. They are bound together to work in harmony by a technology infrastructure which includes software designed specifically for managing a crisis.
The crisis response team members should be using a mobile crisis management app that can alert and convene their team in seconds, no matter where team members are in the world. The app enables them to work together seamlessly and with much less stress to manage the crisis. It also enables team members to manage information flow, assign tasks and track progress, and all this while automatically archiving all crisis-related activities, communications, documents, and other materials. The archived materials are an invaluable resource for assessing and improving both the plan and the team. Cybersecurity people should be integrated with this mobile app to streamline and coordinate all of their departmental communications and activities with the organizational crisis team.
Achieving Cyber Resilience With a Platform-enabled Cybersecurity Framework
Most organizations’ IT departments have at least some cybersecurity safeguards in place. Some may even have state-of-the-art measures in place, and they know how to respond to any cyber contingency. But to be maximally effective, cybersecurity measures need to be positioned within a larger cybersecurity framework – a framework able to interface effortlessly via technology with an entire organizational system of crisis management.