It’s irrational to expect people to perform effectively in a crisis if you’ve never trained them on their roles, responsibilities, and resources. Wise CSOs borrow a technique from the army and pre-emptively employ guided practice sessions to prepare their staff, superiors, and stakeholders on who does what, when, and why.
One of the most crucial tasks that every CSO/CISO has to accomplish is to train and qualify key stakeholders on critical skills like Security Incident Response. Specifically, the head of security has a vested interest in pre-emptively ensuring that all of the influential people who will be needed during a real-world security crisis have already practiced their respective parts before an actual ‘cyber emergency’ happens.
Take the public relations team, for example. While the security engineers are neck-deep trying to sort a massive DDOS attack or ransomware outbreak, the PR team will be under tremendous pressure to share information with regulators, customers, suppliers, and possibly the general public. They need to know what they can (and mustn’t!) say about what happened, what’s being done to sort it, and when the crisis will be resolved. Many of the security people who know the most about the incident will be consumed with the response. When should the PR team interrupt? What sort of content can they expect to get? Will there be time for editing and fact-checking? Or a legal review prior to publication? How often can they expect updates?
Now, consider the other key stakeholders: Legal, Finance, Procurement, Facilities, Human Resources, and Customer Service have unique roles to play and distinct information demands. They all need to know how and when they’ll get informed so that they can perform their own tasks. Then there’s the company leadership element: you don’t dare forget to let the owners, executives, or Board of Directors know what’s happening!
Allowing your top leaders to learn about a major security incident from the news media is probably the most efficient way to obliterate your personal and departmental credibility.
This is why real-world security incident response operations often get messy. If a crisis happens and the key players haven’t practiced their respective roles before, confusion sets in quickly. Well-meaning mistakes get made. Tempers can flare as good people get frustrated, confused, and misdirected. Trust fractures. Organisational cohesion frays (with potentially long-term consequences). This is the nightmare scenario that governance models, auditors, and experts all warn companies about. Be prepared … or else.
The military knows this all too well. Long before the Prussian military scientist Carl von Clausewitz described the ‘fog of war,’ soldiers understood how unit command and control would falter in the inevitable confusion that manifests when two opposing forces clash. That’s why military commanders go to great lengths to explain their battle plans to their subordinate leaders before a clash commences. Once the fight is joined, it becomes every leader’s duty to adapt and improvise based on local conditions to accomplish the overall objective. When leaders understand another leader’s role and intent, they’re far more likely to perform effectively in a crisis situation.
One of the most common planning tools available to soldiers in the field is the ‘sand-table exercise.’ The idea is simple: the senior commander gathers the junior commanders and staff officers together. They clear a space on the ground and then draw symbols representing the various units, terrain features, and objectives in the sand or mud (hence the name ‘sand-table’). The commanders and staff verbally walk through the battle from start to finish, each explaining what their respective force or function will do. The team explores a number of possible scenarios and agree to contingency plans (the ‘if-this-then-that’ variations). Each subordinate then goes to his or her own element to conduct the same sand-table exercise until every leader at every level understands what is expected.
The corporate world quite happily borrowed this technique decades ago. Teaching your critical staff members what to expect via a step-by-step walk through of a crisis helps everyone to understand the incident response process. Everyone gets a feel for who does what, and when they’ll do it. They also get to speak up about their own function’s special needs early so that the plan can be revised to ensure that everyone gets approximately what they need when they need it.
Critical supplies and resources often demand long lead-times and advanced prior coordination. You can’t just conjure up high-demand/low-density assets in the middle of a rapidly-evolving crisis.
Of course, modern corporate leaders don’t use actual sand to illustrate the components in-play during a ‘sand-table exercise,’ and instead reference the term ‘table-top exercise.’ These are guided discussions held in a conference room, an emergency operations centre, or even at the players’ work stations. There can be different levels of complexity and challenge depending on the organisation’s training needs. What’s important is that the people leading the exercise develop and achieve specific objectives for each exercise. These can range from ‘explain the security incident process to new people unfamiliar with it’ to ‘improve the communications flow between the SOC and the PR team during overnight operations.’
It’s important that every security organisation add these training techniques to their notional tool-kit. Either hire someone with extensive experience designing and orchestrating these trainings or develop an existing colleague into an expert ‘table-top’ moderator.  Then get to it. Hold basic exercises for familiarization and process orientation; intermediate exercises to teach specific threat scenario protocols; and advanced exercises to stress-test key stakeholders under arduous conditions.
I’ve heard sergeants-major and football coaches motivate their young charges with the aphorism ‘the more you sweat on the training field, the less you’ll bleed on the battlefield’ (or sport pitch). There’s a lot of truth to that saying. Table-top exercises are an exceptionally useful (and cost-effective!) tool for preparing your people for real-world crisis response. The better you train, the more calm and confident your people will be when the worst comes to pass.
 We’ll talk more on how to accomplish that in our next TEISS column.