Wargames: Preparing the C-suite for cyberthreats
By Benjamin Cher March 29, 2016
- Not just financial damage, but reputational too – which leads to even deeper losses
- Wargames and sims help senior management hone their defences and responses
WITH quite a number of high-profile breaches these days, it is clear that most companies are clearly unprepared and unable to cope.
In today’s hyperconnected world, a breach can not only cause financial damage, but also reputational damage – and the second can result in the loss of customers and even more financial damage in the longer term.
It’s a downward spiral, which makes it all the more important to have the appropriate cybersecurity posture in place, according to John Michael McConnell, senior executive advisor at management consulting firm Booz Allen Hamilton.
“Look at the companies which have been breached and look at what happened to their brand,” he argues, speaking to Digital News Asia (DNA) in Singapore recently.
“Once you have been breached, you will have a customer issue, a stockholder issue, a regulator issue, and so on.
“It is important to have an appropriate cybersecurity posture that, as a minimum, meets or exceeds the standards of your sector, and which can help protect your brand,” he adds.
Senior leadership at companies are now becoming more sophisticated when it comes to cybersecurity – some are actually participating in simulations and ‘wargames’ to prepare and plan for such incidents, according to McConnell.
“They have heard all the horror stories … and there has been a series of assessments to evaluate the state of their industry and how they compare with others in the industry.
“I’ve seen a lot of wargames and simulations where you take the senior leadership into a controlled environment and subject them to a breach or the consequences of a breach, and see how they deal with it,” he says.
Something will always fall through the cracks, so such exercises are useful to test plans and improve them for real breaches.
This also helps organisations prepare for the other aspects of a breach: The aforementioned customer, legal, regulatory and law enforcement issues.
The simulations can also help answer the important questions that arise from a breach, according to McConnell.
“How would you test out these things? Is it good to put it under privileged information? Would you bring in an outsider? What is your responsibility or responsibility to law enforcement?
“There have been debates on whether one should call in law enforcement after a breach is detected. Is it to your advantage or disadvantage?
“Because when law enforcement comes in, they would want to quarantine everything and take control.
“Stressing that in a simulated environment is a huge learning tool,” he adds.
Building on frameworks
While simulations are useful in putting plans to the test, these plans need to follow security frameworks to ensure their viability.
In February 2014, the US National Institute of Standards and Technology (NIST) issued the NIST Cybersecurity Framework, which gathers global standards and practices to help organisations understand, communicate, and manage their cyber risks.
However, this framework would need time to evolve and benchmark against higher standards, argues McConnell (pic), who was director of the US National Security Agency (NSA) from 1992 to 1996.
“GAAP (Generally Accepted Accounting Practices) evolved over time, and the NIST’s is a good starting framework; it was done by consensus,” he says.
“It is a great start, but it will evolve and become a much higher standard over time, once it has been tested,” he adds.
Encryption genie is out of the bottle: Ex-NSA director
Cybersecurity: Some will choose failure over change
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.