They’re Deep and Wide
Many organizations believe they’re fully prepared when a threatening incident occurs. But, more often than not, there are gaps in their preparedness. These gaps can be deep, wide and dangerous. They need to be filled before they cause an organization to trip and fall hard while responding to an incident.
Here are five commonly seen, potentially harmful gaps in incident response and how they can be filled.
GAP 1: CSO vs. CISO
A cyberattack on a power generator in the dead of winter shuts down power (and heat) to hundreds of thousands of homes. The cyberattack is now a physical attack.
A criminal steals an I.D. badge and swipes himself into a facility so he can insert a malware-infused thumb drive into the first USB port he sees. A physical security breach is now a cyberattack.
In a recent interview with Groupdolists, Mike Howard, former CSO of Microsoft had this observation: “In most enterprises today you see a physical security group and a separate IT security group. And most of them don’t integrate well. We’re seeing a gap in, what should be, holistic security for the enterprise.”
The Internet of Things has brought cyber and physical threats together, yet defenses against them are often operating separately. In the power grid hack and the badge swipe examples, who would be in control, the Chief Security Officer (CSO) or the Chief Information Security Officer (CISO)?
They may not know the answer themselves. Each may think he is in charge or may think the other person is in charge.
The result of this gap could be debilitating turf battles at the worst or lack of coordination at the very least. Either way, they’ll find it hard to speak in one voice to the incident response team—a recipe for a less-than-speedy, less-than-effective response.
Many organizations have unintentionally set up this CSO-CISO gap themselves because of their outmoded governance structure. They separate the two domains, when, in actuality, they are so intertwined as to make them practically one and the same.
Further complicating the governance issue is that the CSO and CISO are working with different budget allocations, with CISO’s nowadays usually getting the lion’s share.
Closing the CSO-CISO Gap
The CSO-CISO gap has to be filled because whichever way the security of the organization is attacked, physically or digitally, CSOs and CISOs will certainly share the problem. They need to share the solution.
- Bridge the gap between CSOs and CISOs by first reviewing models of governance. Cyber and physical security need to form a coalition. They should not be following each other but, instead, should be sharing information with each other and speaking with one voice.
- CSOs and CISOs have the same goal, which is to reduce the company’s threats and respond effectively when an incident occurs. With that mutual mindset they can develop a shared view of the threats rather than seeing them only through one lens or the other.
- CSOs and CISOs both ultimately work for a “higher power” -- the individual or individuals who own the full risk. This realization sets the stage for advocating a revamp of governance models and fostering closer ties between the two teams.
- Change the language – “control” becomes “access.” Part of the conflict between CSOs and CISOs stems from the confusion they may have over who’s in control of any given situation. The two entities should change their “control” mindset and language to an “access” mindset, as Bacco convincingly argues.
- Allow both CSO and CISO teams mutual access to their devices, systems and physical locations. That access will help them speak in one voice to the organization’s incident response team. Their single voice, or their more closely harmonized voices, will result in a faster, more coherent incident response.
GAP 2: Cyberattack Insurance vs. Business
Mondelez International, Inc. v. Zurich American Insurance Company is the yet-to-be-decided lawsuit filed in Illinois Circuit Court in Cook County, Illinois, in October 2018. This gap between insurer and business client suddenly opened when Zurich American Insurance Co. announced it would not cover the losses Mondelez suffered in 2017, after a cyberattack by the infamous NotPetya virus.
Zurich’s reason? The governments of the US and UK had declared that the NotPetya virus was developed by the Russian government. That designation enabled the insurer to claim the breach was an “act of war” for which, under the customary “war exclusion” clause, claims are not paid.
Closing the Insurance-Business Gap: Wait and See
The gap between businesses’ needs and insurers’ growing concern over the rising volume of cybercrimes instigated by foreign governments will not be filled until the court decides the Mondelez law suit. And that decision could be appealed by either side, thereby prolonging the gap of confusion. Businesses and their insurers are closely watching as the final decision could upend both sides.
On the plus side, the confusion and potential for companies not to be covered for a cyberattack may motivate them to double down on creating an internal insurance policy of heightened preparedness and incident response capabilities.
GAP 3: Government vs. Private Sector
For national security reasons the US government only shares cyber intelligence with the private sector when the company is a defense contractor. Conversely, the private sector companies that are not defense contractors are not sharing their cyber intelligence with government. This gap must be filled if both sectors are ever going to achieve optimal incident response.
Stevan Bernard, former EVP & Security Chief at Sony Pictures, during a recent interview with Groupdolists, said:
The enemy is a common one, and criminals and nation states are targeting some of the same things, whether it’s government or the private sector. …We’re facing the same enemy. We simply have to improve government-private sector communications on cyber-related threats.
Bernard’s warning comes from experience. It was during his tenure at Sony Pictures when North Korea hacked into Sony’s computers in response to the pending release of Sony Pictures’ comedy, “The Interview.” In the movie, the characters played by James Franco and Seth Rogen are sent by the CIA ostensibly to interview Kim Jong Un, but actually to assassinate him. The North Korean government didn’t think that was a funny story line, and so they took their cyber revenge.
It’s understandable that the cyber threats our government knows about are shared only with defense contractors with high security clearances. But what about other critical infrastructures within the private sector, such as power grid operators, banks and hospitals? What if, say, a power generating company was shut down by a hack from a foreign government? Our government should be sharing at least some intelligence with companies responsible for critical infrastructure. At the same time, the private sector may know things about cyber threats that they should be sharing with our government.
The Council on Foreign Relations has weighed in on this disconnect:
Critical infrastructure companies cannot be expected to protect themselves from adversarial nation-states without federal assistance. The U.S. government has experience running successful classified information-sharing networks, such as the one for the defense industrial base. It is time it did the same to protect financial, energy, and other private-sector companies critical to the functioning of the U.S. economy.
Closing the Government-Private Sector Gap
While the government-private sector gap is deep and wide, there is progress. Several forces are at work to expand the sharing of government cyber security intelligence with the private sector.
It starts with cybersecurity “best practices,” which are promulgated by and readily available from the National Institute of Science and Technology (NIST) and the International Organization for Standardization (ISO). Many IT teams are already familiar with these cybersecurity best practices since some 64 percent of organizations have adopted at least some of the NIST standards.
“The ‘Cybersecurity Framework,’” says NIST, “is now used by 30 percent of U.S. organizations, according to the information technology research company Gartner, and that number is projected to reach 50 percent by 2020, as shown on the graphic.”
While an increasing number of companies adopting government standards for cyber security is progress in closing the gap, the Council on Foreign Relations, wants to speed things up. In its May 2018 report, “Sharing Classified Cyber Threat Information With the Private Sector,” the CFR states:
As a crucial first step, the U.S. government should begin the targeted collection of intelligence on cyber threats to critical infrastructure. To disseminate this information, the government should establish security standards different from those applicable to defense contractors to determine who may hold clearances. …The Department of Defense already gives defense contractors intelligence on threats. Replicate some form of this arrangement with critical infrastructure companies. …
Although building a national classified cyber information-sharing network and expanding clearances introduce vulnerabilities, the potential benefits to national security outweigh the risks.
GAP 4: Values vs. Behaviors
One of the most disastrous types of crises a company can face is when it is found out to be involved with institutionalized illegal activity. Wells Fargo shocked the nation and destroyed its reputation in 2016 when it was found to have fraudulently opened some 3.5 million fake checking and savings accounts in the names of ordinary customers in order to collect millions of dollars in transactions fees.
And there’s VW’s dieselgate, where the company engineered so-called “defeat software” that would trick government regulatory testing equipment designed to determine the cleanliness of the emissions from VW’s diesel cars. The defeat software would trick regulators’ equipment to show the emissions were within acceptable pollution standards, when, in reality, they were well above the allowed standards.
ANY gap between a proclaimed “Our Values” statement and actual behaviors is a crisis waiting to happen. And when they happen they can be doozies: massive fines, criminal sentences, long-term lack of trust and a demolished reputation.
Closing the Values-Behaviors Gap
- Creating and nurturing a company-wide policy of ethical and safe behavior is not merely a nice-sounding thing to have. It’s mission critical.
- Empower employees to report unethical or unsafe behaviors with assurances that they will never be punished for their whistle blowing. “If you see something, say something.” Educate all contract workers on the policy as well. The divide that very often exists between the information given to employees and the dearth of information given to contract workers is another gap in need of filling.
- Conduct exercises on a simulated crisis scenario of rogue employees behaving criminally.
GAP 5: Gaps in the Incident Response System
You have an incident response plan. You have a team. But have team members ever actually worked together, let alone addressed a crisis together? No? Major gap. Have they ever tested the plans and their performance with an exercise? No? Major gap. And what about all their disparate technologies? Maybe they have a mass alert system. Is that integrated with HR’s roster of employee contact information? Are both those technologies integrated with your mobile incident response app? No? Major, major gap.
Closing the Incident Response System Gaps
Filling these gaps begins with a vision: Organizations need to see incident response as a holistic system -– a well-oiled machine of interconnected parts working together.
INCIDENT RESPONSE 3.0 is a system that brings together the plans, the team, their continuous evaluation through exercises.
This core is surrounded by a cocoon of integrated technology, prominently led and coordinated by an Incident Management platform app. The app makes it possible to gather the team virtually, wherever they are in the world, synchronize and track all actions, enable the exchange of documents and other media, record all communications and archive everything for future reference and system improvements. (Reach out to us to learn more about how the Groupdolists platform can help you close this gap.)
The system must reside within a well-curated culture of incident awareness where employees understand their vital roles as the eyes and ears of the organization.
Closing gaps found within this model ensures smoother-running, faster and smarter incident response machinery.
Filling These 5 Gaps is an Ongoing Process
These five very distinct gaps in incident response systems are lying in wait to trip up an organization’s response. Filling them won’t be easy, or in some cases quick; it’s more of an ongoing process.
Some of the gaps, like the CSO-CISO gap or gaps in the Incident Response 3.0 model can be filled internally. Other gaps will require collaboration with external entities, like the government-private sector gap or the gap between companies and their insurers.
Bottom line is we all need to be aware of these gaps so we can work toward filling them. Our goal is to achieve a unified, faster and more effective incident response and management system – with no gaps.