In Parts One and Two of this blog series, “Introduction to the Preparedness Cycle,” we took a general look at threats, risks and preparedness, as well as a slightly deeper look into planning — both preparedness and operational planning — to minimize the likelihood and impacts of the undesired threats that have the potential to develop into disruptions and other “unwanted outcomes.” Such outcomes could impact organizations’ people, information, operations and/or facilities, and it is our goal to be ready and resilient — ideally preventing the incidents, but, more in some cases, minimizing their impacts and facilitating a quick return to normal operations.
One approach to supporting preparedness — which we defined as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response — is to apply a deliberate process to reduce our risks. That deliberate process is the Preparedness Cycle. As we continue through that Cycle, we now move on to the next step in the process – Organizing and Equipping. I often feel like this step is an unloved child in the preparedness family — frequently glossed over as planning, training, and exercise usually get more attention. In reality, this step is critical and is more present in our day-to-day operations than the rest of the preparedness activities.
FEMA states that, “Organizing and equipping include identifying what competencies and skill sets people delivering a capability should possess and ensuring an organization possesses the correct personnel. Additionally, it includes identifying and acquiring standard and/or surge equipment an organization may need to use when delivering a specific capability.” And for our purposes, we’re focused on cybersecurity, which FEMA describes as the core capability focused on protecting “(and if needed, restore) electronic communications systems, information, and services from damage, unauthorized use, and exploitation.” There is absolutely no way we will succeed in achieving that core capability if we do not have the right people and equipment in place.
So where do we begin? Well let’s start with some reality checks and then let’s move on to ice cream, a far more enjoyable topic!
- Reality Check #1: There is no silver bullet and no automated solution that will alone protect your network and information.
- Reality Check #2: Intelligence and information — even deep web and dark web intelligence — are useless unless they are understood, analyzed and applied towards decision-making and action – primarily in the form of preparedness and operations.
- Reality Check #3: No two organizations are the same. Some are alike — based on size, industry, clients, etc. — but they’re not the same. In most cases, their organization and equipment needs may also be alike, but not the same.
- Reality Check #4: Security will require an appropriate blend of technology and human resources.
And an important note, when we speak to “equipment” here, for organizations looking to address their cybersecurity preparedness, it is not just hardware but also the software, technology and services we may apply towards our security operations.
With that – to ice cream! I’m a big fan of ice cream. Seventy-five percent of the reason I workout is probably to indulge in an extra scoop of delicious creamy heaven. I like almost every flavor and am open to nearly every topping – there are a lot of great combos I can enjoy! But for me, for my tastes, it is tough to beat three scoops of chocolate chip cookie dough ice cream coated with a generous portion of shredded Heath Bar and just the right amount of caramel and fudge. Oh, yes, that does it. But that’s me. You may be a chocolate or butter pecan person. Or a marshmallow or peanut butter sauce person. Maybe you like the combined flavor of strawberry ice cream with pineapple sauce on top. The potential combinations are endless and there are probably many that would be to your liking, but probably one or two you really, really like. And, over time, maybe your tastes change. Maybe a little more fudge. Maybe switch out the mint chocolate chip for pistachio … as your needs change, so too must your ice cream sundae!
And so it is with security. There are a lot of great tools and resources out there. Some awesome technology solutions and some great talent. But not all are right for you and your organization and those that work today, may not fit tomorrow as your organization, and the threat environment, change. As you try different things to get to know your likes and dislikes with your perfect sundae, so too must you sample and experiment with the right composition of human and technology resources for your cybersecurity in order to achieve the desired capabilities. And to the aforementioned idea that, organizing and equipping “includes identifying and acquiring standard and/or surge equipment an organization may need to use when delivering a specific capability,” we need to think of potential areas where we may need enhanced support. Perhaps if we suspect we have malware on our network or if we experience a data breach. Wherever we assess risks that we want to be able to operationally address (as opposed to something we’d accept and address via insurance, for example) and do not have the organic in-house capabilities, we need to be able to surge, with internal or external resources, to meet the potential situation.
In addition to our preferences, we also have to respect competing demands and requirements. Whether buying ice cream and groceries or security solutions and hiring talent, we have to respect the constraints of our budgets and choose smartly. I need to both eat and maintain security daily. Sometimes we can buy steak, sometimes we can’t. But we can eat. With security, maybe you can’t get that sophisticated phishing training service you wanted right now, but you can put together an in-house threat awareness program and threat identification and reporting incentive program. Maybe you can’t hire a malware analyst right now, but you can register with the FBI and submit issues into their iGuardian program or join your appropriate information sharing group and leverage their resources and capabilities. In organizing and equipping, as with all preparedness, we should start with basic steps and progress towards a desired endstate. Maybe the goal is a world-class security operations center with validated incident response capabilities. Great! But maybe that starts with some free, basic subscription services, portal registrations and hiring a junior analyst. How fast, and how robust, need to be based on your organization, your risk assessment, your available resources and your goals.
That being said, of course (!) you should consider SurfWatch Labs’ Threat Analyst and Cyber Advisor products and Gate 15’s support for your cyber exercise program … of course, of course, but you already knew that those were as critical to your security sundae as the ice cream itself!
The process of organizing and equipping – like all aspects of threat, risk and preparedness management, is continuous and needs to be regularly reassessed. As you continue into the Preparedness Cycle, as you run drills and more complex exercises to test your team and processes, and as you encounter real events and incidents, there will be numerous opportunities to document successes and opportunities for improvement. These should help you refine your people and processes, and your organization and equipment as well. But, before we get into exercises, we need to give our personnel effective training on the plans, procedures, systems, and equipment we have in place. And that will be the subject of the next installment in this series!