In part one of this blog series, “Introduction to the Preparedness Cycle,” we took a general look at threats, risks, and preparedness. Recognizing that there will be undesired threats that develop into disruptions and other “unwanted outcomes” impacting our organizations’ people, information, operations, and/or facilities, we want to be ready and resilient — ideally preventing the incidents, but more likely trying to minimize their impacts and facilitating a quick return to normal operations. To support that, we can apply a deliberate process of preparedness to address our threats, physical and cyber, and reduce our risks – the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.”
We defined preparedness as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response. This post addresses the first step – planning. There are actually two important aspects to planning – Preparedness Planning and Operational Planning — and ideally, an organization will do both.
There are a number of ways to mitigate risks. In some instances, we assess the risk as low or the cost of mitigation as too much, and we decide not to do anything at all, accepting the risks and moving on. In some cases, we get insurance to help manage the potential consequences of an incident. In some cases, we determine to take preparedness actions to decrease risks. In those cases, preparedness – planning, as well as training and exercises – needs to be thought of like insurance in that you don’t pay insurance once and stop. You pay it month in and month out, use it or not. Same thing with preparedness. It needs to be scheduled and recurring. Plan for it, do it regularly, keep doing it. With our insurance bill, we plan for it, allocating time and resources to make sure we pay it. Again, with preparedness, we need to plan our activities and set aside the time and resources to conduct them.
Ideally, organizations will have a preparedness champion who can help develop and maintain a multi-year training and exercise program. This program – informed by a prioritized assessment of risks — should detail a training schedule and progressively challenging exercises over a few years’ period. Its not set in stone and needs to be flexible enough to be updated as threats evolve and risks are regularly reassessed. However, the near events should be locked in, with events further away scheduled, but tentative, pending confirmation or refinement. Developing a multi-year preparedness program helps protect time and allows leaders to plan for and commit funding to support the activities. Even if the details of an event change, the time and resources will be there.
In cyber preparedness, we may, for example, assess that our greatest risk is a significant data breach. And let’s say Johnny has been assigned as our Preparedness Champion. Johnny, taking his task seriously, investigates and finds that there is no plan for responding to a data breach. As such, he determines this is a priority. He talks to his leadership team and they determine that their goal is to have a validated process for responding to a data breach in 18 months. Wait, what — 18 months?!? Well, as with insurance, most of us don’t make one payment annually, we break it out over a manageable schedule and period of time. To be realistic, preparedness has to be approached similarly. Now, priority efforts may be addressed more aggressively, and some things taken much slower, but that is a decision that leaders need to weigh in on – informed by a sound understanding of the threat environment and based on a prioritized assessment of risks. For example, after the recent WannaCry outbreak, some leaders may be reassessing their patching processes and wanting to fast track and exercise new processes and procedures. Returning to our champion, Johnny develops a series of activities to plan, train staff, and exercise the data breach response plan, through a series of scheduled, progressive activities going from developing a plan, to conducting staff training, to a series of increasingly challenging exercises – a tabletop exercise, a drill, and a full-scale response – all completed within the specified 18-month period. Johnny documents his plan, gets leadership approval and resources, and executes, leading his team to the desired state of readiness by the required suspense. Good job, Johnny!
This is the actual development of plans and procedures. There are different levels of planning and though they may sometimes be given different names, the four basic types of planning are: strategic, operational, tactical, and, contingency. Some may have additional steps, use different names, or stack them in a different order. For purposes of simplicity, we’re not going to address strategic planning, and for this discussion we’ll roll the rest up under operational planning – which in this context I mean as the development of plans and procedures. This is when the organization develops the plans and procedures that they will use to train their personnel and from which they will actually base their response actions. The National Incident Management System notes that, “All emergency management/response personnel and their affiliated organizations should develop procedures and protocols that translate into specific, action-oriented checklists for use during incident response operations.”
To develop his plans, procedures, and checklists, Johnny didn’t know where to start. So, he did the smart thing and looked for viable templates that he could work off, such as those provided by the Federal Trade Commission or the European Union Agency for Network and Information Security. He refined these plans to fit his organization, their people and capabilities. Along the way, Johnny also conducted several interviews to inform his draft plan. And, while we’re not at the part of this series addressing exercises yet, Johnny was. He even conducted a tabletop exercise to validate his draft plan! We’ll come back to that in part five of this series. When he was done, Johnny was able to provide his coworkers with a well thought out, validated data breach response plan and corresponding actionable checklists.
An important note, there are too many variables for any organization to address every possible threat or variation of an incident. In both physical and cybersecurity, and for pandemics and other threats — it is great to have detailed plans and protocols. However, no organization can get to a 100% solution for every situation. Having plans is important but so is building in flexibility and innovation. After hearing from some of the more experienced team members, Johnny developed a basic incident response plan, accepting that he and his co-workers would have to be able to adjust to the reality of events “on the ground.” Your plan is almost never going to be based on the exact situation you find yourself in. Plan well, be deliberate, but also be prepared for a little bit of backyard football, being able to make game time decisions when needed. Matt Stafford’s coaches don’t tell him to throw that sidearm ball, but sometimes, he has to adjust to get the ball in his receiver’s hands. Know the right form, but be ready to toss the sidearm when you have to.
In the next installment of this series, we’ll take a look at the next step in the Preparedness Cycle – organizing and equipping.