Returning to our ongoing series on Preparedness, this post addresses what is probably the most fun part of preparedness — exercises! A championship football team needs to be complete — with great linemen to fight in the trenches, defensive players to dominate their side of the ball, skills players and special teams to razzle and dazzle and put up points, and then there’s the quarterback — the attention getting centerpiece of nearly every team. Champions in preparedness also need to have success through every part of the Preparedness Cycle — the continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response — but exercises, like quarterbacks, seem to always garner a lot of attention and can be seen to make or break the rest of the program.
To help highlight some areas with expert insight, I’ve asked a colleague to share some wisdom as well. Several areas below include comments from my colleague, Gary Benedict, who serves as the Section Chief of the Department of Homeland Security’s National Cyber Exercise & Planning Program.
What Are Exercises?
As we have noted in previous parts of this series, our focus on preparedness is to effectively support our efforts to reduce organizational risks — the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.” Exercises play a critical role to that end. The Homeland Security Exercise and Evaluation Program (HSEEP) defines exercises as instruments “to train for, assess, practice, and improve performance in prevention, protection, mitigation, response, and recovery capabilities in a risk-free environment. Exercises can be used for testing and validating policies, plans, procedures, training, equipment, and interagency agreements; clarifying and training personnel in roles and responsibilities; improving interagency coordination and communications; improving individual performance; identifying gaps in resources; and identifying opportunities for improvement.”
HSEEP “provides a set of guiding principles for exercise programs, as well as a common approach to exercise program management, design and development, conduct, evaluation, and improvement planning. … Through the use of HSEEP, exercise program managers can develop, execute, and evaluate exercises that address the priorities established by an organization’s leaders. … These priorities guide the overall direction of a progressive exercise program, where individual exercises are anchored to a common set of priorities or objectives and build toward an increasing level of complexity over time. Accordingly, these priorities guide the design and development of individual exercises. … Through improvement planning, organizations take the corrective actions needed to improve plans, build and sustain capabilities, and maintain readiness. … HSEEP exercise and evaluation doctrine is flexible, scalable, and adaptable, and is for use by stakeholders across the whole community.”
I really appreciate the HSEEP methodology because it is logical, repeatable, helps us all use common terms, and is flexible. FEMA has written, “Exercise practitioners are encouraged to apply and adapt HSEEP doctrine to meet their specific needs.” We won’t get into all the weeds of exercises here, but the current version of HSEEP can be accessed here and I encourage anyone involved in the planning of exercises to take time to get familiar with this document.
Types of Exercises
When we look at the Preparedness Cycle, exercises are usually placed in the sequence noted above — planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions. That is the right place for them to be; however, they may also be used to help inform planning and can be very effective for that purpose. One important idea to understand is that an effective exercise program should progress through a series of successive and increasingly complex exercises leading up to the desired level of proficiency and preparedness. “This progressive approach, with exercises that build upon each other and are supported at each step with training resources, will ensure that organizations do not rush into a full-scale exercise too quickly. Effective planning of exercises and integration of the necessary training will reduce the waste of limited exercise resources and serve to address known shortfalls prior to the conduct of the exercise” (HSEEP).
In planning the progressive schedule of exercises, it is important that exercises are conducted at a cadence that allows organizations to learn from previous exercises and make appropriate procedural refinements before engaging in more challenging exercises. This can be a particular challenge for large organizations with broad regulatory accountability, especially ones that are also trying to support external exercises such as with government or their information sharing communities. Exercise planners often know where some of the likely trouble areas for an organization may be — for many exercises capabilities such as communications and planning repeatedly come up, for example — and should work with their organization to provide enough time to learn and improve before progressing to more complex activities and repeating the same mistakes.
From his years of experience in cyber and physical security exercises, Gary adds that the progressive, “building block approach should be documented into a multi-year Training and Exercise strategy (which we referred two in part two of this series under Preparedness Planning). A critical component to the success of this approach is also having senior leadership approval and buy-in. Exercise strategy can be influenced by organizational ongoing risk analysis, so exercise planners should allow some flexibility in the strategy to be adjusted as the risk landscape evolves.”
What follows are brief descriptions of the different exercise types, and some ideas on how they may fit into a cybersecurity exercise program. To do that, we’ll continue the adventures of our Preparedness Champion, Johnny, and his company Acme Innovations (see previous blogs for reference).
If you recall from our previous post on training, Johnny and his colleagues at Acme Innovations had identified the threat of ransomware as a very concerning risk for Acme. In the next installment of this series we’ll be looking at the different exercise types as we consider some of the ways Johnny may develop a progressive exercise program to build preparedness and be ready for a potential ransomware incident.