Incident Response Exercises Not Taken Seriously by Business Leaders

Only 2% of organizations have run incident response scenarios related to the pandemic response.

According to research by Immersive Labs of 402 organizations, nearly 40% are not fully confident in their teams training to handle a data breach if one occurred, and 65% of exercises consist of reviewing PowerPoint slides.

In an email to Infosecurity, Heath Renfrow, director and vCISO at the Crypsis Group, said incident response is one of the pillars of a sound information security program, and it needs to be taken more seriously—not only among the organization’s information security team, but all the way to the CEO and board of directors.

“It is evident from the incident response cases we assist with daily that incident response is frequently viewed strictly as information security/IT’s responsibility, rather than from an overall business perspective,” he said. “This is unfortunate, because many across the business—from leadership to legal, communications and HR staff—have a potential role to play and can help influence better outcomes and the right cultural mindset to be better prepared for an incident.”

Renfrow said that to build stronger programs, incident response plans and playbooks should be developed and exercised at a broad company level — but that requires buy-in from the top leadership.

He recommended an approach, in order to achieve buy-in, to first run tabletop exercises just among the information security team to refine the plan, taking the lessons learned and updating the documents. Next, identify a “champion” in the executive ranks — a cybersecurity advocate who is influential among leadership and sit down with inside or outside counsel and discuss the various scenarios the company could face from a range of cyber-attacks and the ramifications of each (e.g. downtime, reputational loss, regulatory notifications, sensitive information exposed, etc).

“With that information in hand, security teams can work with their identified champion to get executive leadership educated on those risks and bought into an incident response tabletop exercise,” he said.

The Immersive Labs research also found that 61% of respondents think having an incident response plan is the single most effective way to prepare for a security incident, however when they do perform crisis exercises, nearly 40% of all senior security leaders surveyed said the last exercise generated no action from the business.

Also a quarter of organizations ran crisis exercises without senior cybersecurity leadership in attendance, and only 20% of exercises involved communications team members.

James Hadley, CEO of Immersive Labs, said: “With three-quarters of organizations agreeing that business continuity was at the forefront of their minds, it is time to close the gap between attackers and defenders and shake up the outdated status quo. This requires faster, shorter crisis drills run with the people you will be standing shoulder to shoulder with when the worst happens. Crisis exercises must be made more contemporary.

“Dusting off the three-ring binder crisis plan does not cut it today. In the first 30 minutes of a crisis, it is highly unlikely you’re thinking of your plan. It’s the real-life, crisis simulation training that prepares organizations to effectively respond to security incidents.”

Renfrow said a company-wide incident response exercise should include legal, HR, communications, and all senior business executives including the CEO, and should be focused on a plausible cyber-incident, for example, a ransomware attack, and walk through the chain of events and response by the entire organization. It should also include the steps needed to engage (as applicable) any retained cyber insurance companies, outside counsel, and incident response providers.

“These exercises truly do open the eyes of executive leadership, and most of the time they really start seeing cybersecurity as an asset to the business that is vital to the overall success of the organization,” Renfrow said.

What’s Hot on Infosecurity Magazine?