Courtney Guss [00:00:00]:
Planning also includes prioritizing how you restore and recover and in which order systems come back up. And a lot of that should be driven by your resiliency plan, meaning these are the operations that matter most to my customers or the external market. And these are the systems I’m going to prioritize because of that business requirement. And so you don’t want to figure all that out in the middle of the crisis. You really want to have some of that stuff ironed out on the front end.
Karissa Breen [00:00:39]:
Joining me now is Courtney Guss, Director of Crisis Response at Sempris. And today we’re discussing why your crisis plan won’t always save you. So, Courtney, thanks for joining me and welcome.
Courtney Guss [00:00:54]:
Thank you. Thanks so much for having me.
Karissa Breen [00:00:56]:
Okay, so Courtney, there’s a little bit of research here that I’m aware that Sembra’s conducted. And I’m going to read some of these stats out. Cause I want to start there. And research indicates that 97 of organizations say they plan and train regularly, as in train a crisis response plan or IRP, but 76% still got hit hard. So I’m curious to maybe know people saying they’re doing the training, but then the 76 is still relatively high. Walk me through what’s going on here.
Courtney Guss [00:01:24]:
Yeah. Well, I think the training’s interesting because everyone defines it a little bit differently. And training doesn’t prevent the incident from occurring. Right. All it does is help us hopefully detect and respond and recover a little bit quicker. But if you’re only training once a year, which is typically how organizations define training regularly, it’s really difficult to be prepared. We all change roles, we change jobs fairly frequently within organizations. The organization and the processes itself shift.
Courtney Guss [00:01:53]:
And so if you’re only training once a year and you’re only training for one type of incident, you’re not prepared. There’s just no way to really understand what’s going to be coming through the door and how to plan and get the team ready for something like that when that incident occurs, if you’ve prepared for the right scenario, you can be prepared to make those quick decisions. But if it’s a scenario you’ve never seen before, it just creates chaos and confusion and you’re really just kind of flying by the seat of your pants at that point. I think that’s what we see most often.
Karissa Breen [00:02:23]:
Okay, so a couple of things in There would you say that people going Back to the 97% obviously are people just doing, we’re going to say tick box people do it, is it because it’s kind of important. But then other things sort of come up in terms of smaller incidents that people have to deal with day to day, keeping their head above the water. Like you said, people move on, move jobs. Maybe the critical person that was working there for 20 years isn’t there anymore. So how does that sort of look, given your experience and your role?
Courtney Guss [00:02:51]:
That’s all of those things, I think. And I think also it’s tough to get everybody in the room for one day as well. And oftentimes we don’t even know what we should be practicing or where to start. And I think we almost overthink it sometimes. Rather than getting small groups together more frequently and doing lots of different practice scenarios and really just hoping to fail a little bit more. I think we try to structure it or over engineer it to the point where the group all has to get together. We’re practicing one big scenario and we’ve almost done made it so difficult that. And to your point, checkbox like that it becomes too cumbersome to do more often.
Courtney Guss [00:03:27]:
I think the best practice scenarios and the best exercise scenarios are the ones where we don’t do well. They’re scenarios we’ve never seen before. There are situations where the team has no idea what to do because then we’re really starting to ask and answer those questions of what would I do in this situation versus to your point with the checkbox, really just answering questions as they go along. So I think there is definitely a combination of resource constraints in our industry and then, you know, business constraints and then really just a lack of understanding of what the point of these exercises should be. And all of that coming together just creates, I think, a lack of effective exercising.
Karissa Breen [00:04:05]:
Okay, when you were talking, I was what was kind of my mind was, do you think people are just bored of doing the training? Like, I just have to be honest. Do you think they just couldn’t be bothered? There are other things that they could be doing. Is it banal for people, would you say?
Courtney Guss [00:04:18]:
That’s actually a good point? Yeah, I think it probably is. I think there’s definitely a component of kind of a lack of engagement when it comes to these things because A, they probably don’t think it’s ever going to happen or be needed and B, we’re not practicing the right scenarios so it’s not necessarily relevant to the people in the room. We also make these scenario situations or exercises so long that we do tend to lose people throughout the day if they’re not engaged or they don’t understand what their roles and responsibilities are. So I do think we get bored. And then that on top of our normal security training that we’re doing, on top of our day jobs. Yeah, I do think it can create some boredom and lack of engagement in that way.
Karissa Breen [00:04:55]:
Do you also think as well, perhaps going back to the scenarios, do you think some of them are a little outdated?
Courtney Guss [00:05:00]:
Yes, absolutely. Yeah. And I don’t think we’re taking a really critical look at what matters to the business when we plan these scenarios. At the end of the day, the question I always come back to is why do I care what matters to the business? What do I care about here? Because that’s the only thing that we should be focused on, not necessarily what you see in the news or what you read in a magazine. So it’s really important to look at your, your threat landscape, look at your risk management strategy and say, these are the things that we should be caring about and these are the scenarios we should be focusing on. It’s hard not to get caught up in all of the cyber attacks you see online and all the cyber attacks you hear about in the news. But at the end of the day, if those aren’t relevant or likely or probable to hit our business, then I need to ignore those. That’s just noise.
Courtney Guss [00:05:47]:
And I need to focus on what matters, if they are likely or probable. For instance, if I’m in the retail sector right now, I’m probably on high alert. Given all the retail sector attacks recently, then those are things we should focus on. And so just filtering out the noise, I think is really important and focusing on scenarios that, that matter to us.
Karissa Breen [00:06:06]:
Yeah. Okay, this is interesting. Okay, so then going back to the noise side of things, would you say that companies lack contextualizing what’s important to them, what’s relevant to them? So, for example, if you’re in retail and they’re giving you a scenario that’s sort of more geared towards manufacturing, that’s not really relevant, therefore you start to have the drop off, people not interested. Won’t happen to us because we’re not even in manufacturing, for example, why is that the case? Or would you say that people are just sort of ripping a random sort of plan, you know, or response off the Internet and so hoping for the best?
Courtney Guss [00:06:39]:
Yeah, I think a little bit of both. I think we aren’t looking at scenarios that are relevant to our industry for sure. And I think a lot of that takes discipline around understanding our risk management posture, understanding our threat landscape and taking a close look at what we should be focused on from a threat intelligence or threat perspective. But then the flip side of that is I think there’s a lot of pressure from leadership, from the board, from external stakeholders, when they see things in the news and they say, well, we want to, we need to do a scenario on ransomware or we need to do a scenario on this because that’s what they’re seeing. You have to have enough understanding and knowledge to push back and say, although those are relevant scenarios, we actually have greater risk over here. And this is what we’re going to focus on first. And so I think it’s a combination of the two. And then also not just picking a scenario to check the box.
Courtney Guss [00:07:29]:
It’s easy to say, okay, we’re going to do a ransomware scenario because that’s a huge concern and we’re just going to check that box and do that one thing. But we know that, you know, bot driven DDoS attacks are on the rise. We know that industry specific attacks are on the rise. There’s specific vulnerabilities that are being targeted. Are those more relevant for us in the immediate future? And those are things you have to be able to kind of triage and prioritize as well.
Karissa Breen [00:07:53]:
Okay, so going into this a little bit more because things change day to day. I mean I’m in media and I’m seeing things right across the world, what’s happening, it’s even hard for me to keep up. So for people that are trying to plan these crisis response plans, incident response plans, how do they make sure that the content relevant, the scenarios are relevant given things change day to day and to your point, to make sure that it’s relevant to those organizations in providing the right context, they have to sort of be on top of that. So we’re adding more then to people’s to do list with their already ever evolving to do list. So how does that sort of work then?
Courtney Guss [00:08:28]:
Oh, I don’t know to be honest. How do we get ahead of it? Right. I always feel like the bad guys are one step ahead. But I think just being aware that these scenarios need to be fairly agile and fluid and we need to start planning for a little bit more nuance. So I think oftentimes when we do these exercises or tabletop scenarios, we’re working almost in ideal state. So if I do this, then the next thing will happen and it moves Almost in a linear fashion. But in reality, when we’re making decisions and we’re within a real organization or a real crisis, nothing moves in a straight line. So we need to start planning for, okay, if this doesn’t work, what’s plan B? And if that doesn’t work, what’s plan C? And I think there’s a maturity curve to that a little bit.
Courtney Guss [00:09:11]:
But I think once we start to think outside the box and have backup plans, for example, then I think you’re better able to plan for the scenarios you weren’t ready for. Meaning if you start to practice more often and more frequently and you start to get a little bit more comfortable with making a plan B decision or a plan C decision, even if it’s not great, it’s better than nothing, then when the scenario hits that you weren’t ready for, I feel like you’re a little bit more prepared to make kind of a quick, agile decision based on an educated guess rather than, I’ve never seen anything like this. I’m not prepared to think outside the box and I’m frozen kind of analysis paralysis.
Karissa Breen [00:09:52]:
Okay, so you said before more often or frequently. Now, I know this is a hard question, but do you have any sort of indicators? And I know it depends in companies and maturity and resource and financials and all those sort of things, but what would you say, as a rule of thumb, people should be doing probably at a minimum, given, you know, your experience?
Courtney Guss [00:10:11]:
I think we should be exercising quarterly at the very least. I have worked with a couple of organizations that actually meet and do small exercises monthly. That’s a pretty big commitment from the organization itself. But if you can pull four or five people off at a time, I think it makes it a little bit more manageable. And at the end of the day, we’re just trying to get people more comfortable with understanding their role in making quick decisions with limited information. We’re not asking them to be perfect. We’re not asking them to solve for everything. But chaos situations or crisis situations are scary.
Courtney Guss [00:10:46]:
And if you’re not prepared or you’re not comfortable in those types of situations, people kind of lean in. Some people fall back, then it becomes that much harder to work through. So I think just giving people the opportunity to have a voice, small groups also give more people a chance to speak and participate. So my recommendation is quarterly. If you can get to a monthly point, that’s great. That way you’re not pulling the same people off all the time, and then you’ve got to do the big exercise at least once a year where you’re bringing in leadership and senior management, but hopefully you’re not having to bring all of those groups in all the time if everyone underneath understands their role.
Karissa Breen [00:11:21]:
So then going back to the stat that I read earlier, around 76% got hit hard. What’s your definition of being hit hard?
Courtney Guss [00:11:29]:
That’s a good question. I think it really depends on what you’re looking at from business impact analysis. I think oftentimes when we think about incident response or crisis response, we look at the technical response. I think as an industry, we’ve gotten pretty good at really understanding how to respond and restore the technical side of the house that the systems itself. But we often forget about the ripple effect it has on the business. So if a system is down, you know, let’s say we work in financial services and all of a sudden customers can’t get to their checking accounts, or we work in retail and I can’t go online and make a purchase. That ripple effect, I think oftentimes the technical teams don’t recognize and the business teams don’t always understand how to respond because they don’t typically work in a crisis setting. So I think hit hard to me is business operations being disrupted for a length of time that’s unacceptable, meaning it’s down longer than customers or stakeholders are comfortable with.
Courtney Guss [00:12:28]:
And I think consumers are getting less and less tolerant of downtime. And on top of that, we’re not communicating externally or internally in a way to give people comfort that we’ve got our hands around the situation. And so sometimes I think these situations often look worse than maybe they are because we’re just not managing all of those different components very well. And then we’re also not focusing on the business impact. We’re focusing almost too much on the technical response.
Karissa Breen [00:12:54]:
Yeah, okay, so you made some great points. I was in an interview the other day and I was talking to someone around the consumers being, you know, more, I would say, patient around when a system’s down, something can’t work or an outage. So for example, I think what I suggested in the interview was recently, I live in Sydney metropolitan, part of Sydney, very close to the downtown CBD area. And power was out for like substantial amount of people in my area. And I was annoyed after like 30 minutes, like to an hour. I thought, like, this is terrible. I can’t do anything. Then I thought, imagine if that went on for 24 hours.
Karissa Breen [00:13:30]:
And then also the people that are around me on how much of a flow on effect. But I mean, even 10, 15, 20 years ago, you just accept it. But going back to your point where people aren’t as accepting nowadays, as soon as major bank here in Australia had an issue and straight away people are on Twitter, they’re complaining and all of that. So is that starting to get like. Are people going to start getting annoyed? Courtney, within like five to 10 minutes? As we move towards this pace of how we operate now, it’s not like, oh, okay, we’re going to be patient and wait like 10 minutes for some people feels like a lifetime.
Courtney Guss [00:13:59]:
Yeah, no, that’s a really good point. That’s funny. Growing up, you’re right. We’d have a power outage for a day and you wouldn’t think anything of it now. You’re right. 30 minutes feels like eternity. I do believe as consumers and just how connected we are from a technology perspective, we have become less tolerant. I also think stakeholders and investors are also far less tolerant.
Courtney Guss [00:14:19]:
And so we’re seeing this shift toward the need for resiliency. Right? That’s the big buzzword that you hear everywhere. And my first question to anyone when they use that term is, what does resiliency mean to you? Because I think everyone defines it a little bit differently. But to me, resiliency is maintaining some kind of operations during whatever technical issue you’re having. So it’s not necessarily that you’ve solved the problem, but that you’re really minimizing that disruption. So that outage is shorter in duration than maybe it would have been in years past, or you’re able to get websites back up and running faster, even if other systems are still down in the background. And so with consumers being less tolerant with how interconnected everyone is and how interdependent we are on those connections, I think businesses really have to shift to maintaining some kind of operation during whatever outage or technical issue that they’re having, whatever disruption they’re having. And I think that is going to be the norm.
Courtney Guss [00:15:13]:
I think we’re seeing in regulation as well, where they’re starting to require a resiliency plan because the world just is no longer going to allow you to have significant, you know, downtime. You can’t go offline for three weeks and hope for the best. So you’re going to have to maintain some kind of operations. And that does require planning. So we talk a lot about the exercising piece, which is a critical piece of preparedness and planning. Planning also includes prioritizing how you restore and recover and in which order systems come back up. And a lot of that should Be driven by your resiliency plan, meaning these are the operations that matter most to my customers or the external market. And these are the systems I’m going to prioritize because of that, that business requirement.
Courtney Guss [00:15:56]:
And so you don’t want to figure all that out in the middle of the crisis. You really want to have some of that stuff ironed out on the front end.
Karissa Breen [00:16:01]:
Okay, so, Courtney, I’m curious to know. So in a crisis, obviously it’s easy when we’re sitting around a table, there’s nothing too intense happening. So stress. But then in a crisis, people will go, you know, freeze or fight. People have different responses. So how do people get to the point where it’s like, we’re going to be calm during this process? Because, again, it’s easy for us now to sit here and talk about it, but in a stressful situation, people change. And people don’t think as clearly as like, okay, let’s refer back to the plan and what we practice. How do people get to the stage? Or it’s like it doesn’t impact them, whether it’s training for the proverbial Olympics or they’re in the Olympics and it’s happening right now and the stress and the intensity is there.
Karissa Breen [00:16:41]:
How do people get there in terms of their mindset?
Courtney Guss [00:16:44]:
I think that practicing helps build a little bit of confidence and understanding that it’s okay if we’re not perfect during the response process. I think that’s a cultural shift, too. And that’s why I think it’s so important to fail during the exercises. And what I mean by fail is really identify the areas where we don’t have an understanding or confidence or a decision point made. That way we all know that we’re not going to be perfect when the real thing happens. But to your point, I think there are people that naturally step into crisis or chaos, and then there are some people that get very scared and kind of naturally fall back. Those are also things you want to try to identify during the exercise phase, not in a real situation. Because if that’s the point or the situation that they’re in or how they respond in those kinds of instances, then maybe you change the decision points that they’re responsible for or their role in that crisis response process.
Courtney Guss [00:17:36]:
So if you can really start to flush some of those things out on the front end, because some of those things are inherent in human behavior and you’re not going to be able to change them. But I do think a lot of it’s confidence, the confidence to have the Authority to make a decision, the confidence to make a decision and maybe know that it’s not necessarily perfect, but it’s the best we can do. And the confidence to know that there’s a backup just in case, you know, that that decision doesn’t work. And I think some of that just. It just takes practice.
Karissa Breen [00:18:04]:
So the operative word that you use is backup. So I was watching a documentary the other day, and it’s quite interesting how they really went through if plan A doesn’t work and go to plan B, that fail C. Like, they had so many different scenarios. Now, admittedly, this is all they were doing each day. It was called for quite a sophisticated event that they were doing. But they even sort of stood up like a pretend sort of model, like people could actually be there in the real scenario. And obviously that’s a bit hard to do given we’re in cybersecurity. But would you say that people are not thinking about, if the plan A fails, we do have a backup, and then if so, when do we abort plan A and go to B?
Courtney Guss [00:18:43]:
Oh, 100%. And I think that’s probably one of the biggest misses in what we do in these exercises is really thinking about, what if this goes wrong, who has the authority to make that plan B decision, or what direction do we even go in? An example of that, I was working with a customer, and they actually were hit with a ransomware attack, which was unfortunate, and their immediate response was, we’re going to restore from backups, we’re going to pull from storage, we’re going to restore that way? Well, we all know in the industry that that can be very cumbersome and time consuming. I think that technology is getting tremendously better. But with that, having your only plan being to restore from backups can be really challenging. And at what point do you say, we’ve been down for too long? What’s plan B? What’s the business trigger to say we either need to pay the ransom or come up with some other kind of solution because our systems cannot remain down for any longer. So we started to think about, okay, if we can’t, and if we can’t restore, we’ve been down for several days, let’s pay the ransom. Okay, well, who has the authority to pay the ransom? And do we have the funds? Do we have the ability to actually transact in that way? And so because of those decisions not being made ahead of time, you’re kind of improvising. And I think there was a PWC study a couple of years ago that over 60% of organizations had to improvise in the middle of a crisis, which I thought was a staggering number.
Courtney Guss [00:20:04]:
So kind of really understanding that plan A probably won’t work all the time. And having some kind of a plan B, even if it’s just a decision point or someone who has the authority to make an alternative decision, I think is really important because at that point, systems were down, we weren’t sure who could pay the ransom or if we could at all, and now we’re completely stuck. It’s definitely not a situation you want to be in in a real life crisis.
Karissa Breen [00:20:27]:
So what do you think some of the indicators are when it’s like, okay, plan A is clearly failing, we should look going back to, we don’t want to have to improvise, but just say we’ve got a somewhat bit of a plan B. When do you sort of think, all right, now’s the time to switch and go all in on that plan, rather than people like, oh, you know, we still think we should go through to plan A, you’re always going to probably have some people that are, you know, lagging behind on that sort of second plan. So how, how do you talk me through that? How does that look like in your eyes?
Courtney Guss [00:20:55]:
I think you’ve got to have some kind of a reasonable escalation process internally to say, we’re willing to tolerate downtime for 48 hours. Outside of that, we need to start looking at a significant shift in our decision making. Or specific systems can only be down for one to two hours. And if it’s any longer than that, then we need to pivot to, you know, some kind of alternative backup plan. I think understanding when you create those business prioritization plans in terms of how you’re going to restore and recover, I think a key point is understanding how long you’re willing to tolerate those systems being down, because then that creates very clear triggers to say, we’ve been down longer than we’re typically allowed to be. We need to immediately pivot to an alternative plan. That decision point being clearly understood creates a very easy way to justify that decision. Which I think justification is really important because at the end of this incident, when you come out the other side, everyone’s going to wonder why you made certain decisions.
Courtney Guss [00:21:54]:
They’re going to say, well, why didn’t you do this? Or you should have done that. You know, a hindsight’s 20 20, and I think if you can say, well, our tolerance for a specific system being down is three hours and we were at Four hours we made a decision to pivot. I think that’s a clear way to justify. Now, if you need to change that plan moving forward, you can. But at that point in time, you had a plan and you stuck to it. And I think those kind of clear triggers not only make the decision process much easier, but the justification. If you don’t have clear triggers for everything, because you won’t again, we’re assuming that the scenario isn’t going exactly to plan and you’re having to pivot, then at least understanding the critical business operations it’s tied to. So that way you can say, well, this was tied to our critical operations that drive, let’s say you’re in a healthcare system that drive patient care, then you can clearly make a decision that’s easy to stand behind and you can justify that.
Courtney Guss [00:22:49]:
And I think if you can’t pre plan that decision point, then you need to come up with a reasonable way to justify why you’re doing what you’re doing.
Karissa Breen [00:22:57]:
Okay, so the word justification, I want to hone in on this a little bit more. Would you say, generally speaking, so you said it so with conviction before you said, okay, well, three hours was, you know, the tolerance we’re at four, we need to move. But would you say, Courtney, with what you’ve seen in your career, people aren’t that confident in their justification or how they got to that sort of outcome or why they made that decision.
Courtney Guss [00:23:20]:
Like, generally speaking, no justification and having that plan in place is definitely ideal state. I think when we plan ahead of time, if we can think through those questions, it does help build in a little bit of justification and credibility in our, in our plans as well. Those are typically, you know, organizations that are a little bit more mature that have those justification plans in place. Anytime we look at risk management and risk mitigation, you have to think about why I’m making that investment or why I’m making a change and why I believe it reduces risk. And I think this is the same meaning. We’re looking at a scenario and we’re saying, I’m trying to minimize the impact to the business as much as possible. And if I think in those terms, does my decision drive that reduction in impact? Does it drive a reduction in risk? Does it help my business operations return to normal sooner? And I feel like if I can ask myself a few of those questions, even if it’s on the fly, I’m better off than just making decisions without any kind of framework behind. So I think some of that’s practice and Some of that’s a culture shift internally as well.
Courtney Guss [00:24:28]:
But whether you’ve got it preplanned or whether it’s just kind of ingrained in your head to ask yourself these questions, I think that’s a shift we need to make as an industry because at the end of the day we’re going to have to start answering to how we manage these situations. The public wants answers, stakeholders want answers. And you don’t want to walk into those press conferences and not have any kind of idea as to why you did what you did.
Karissa Breen [00:24:51]:
So going back to just like an incident. So I was conducting an interview with a sizer who actually had a major breach here in Australia, walk through it. It hasn’t, hasn’t been published yet, but he was sort of saying like each incident is different. So there’s no like, okay, well this happened before, now something else happened is going to go the exact same way. But I think you mentioned before, like, at least if it’s in the same family, same vicinity, even if it’s not the same, you’re going to sort of know at a higher level, well, it’s sort of going down that path that I’ve seen before. So it’s the best response to take this as an option. So how do people get to the point where it’s like, okay, we just need to, we need to have sort of high level plans in place in terms of scenarios and potential outcomes versus this is exactly how it’s going to go because each incident is going to be different. So it’s not like, oh, it’s going to be the same and we’ve seen this before.
Karissa Breen [00:25:41]:
There’s going to be certain nuance, things that occur. So how do people get familiar with knowing that there’s going to be things that come up that they haven’t seen in any sort of fidelity, but it’s okay because it’s, we’ve seen it in the same family.
Courtney Guss [00:25:55]:
I think that’s a good call. I think it’s important for leadership to really message that like he is, to say that we’re not going to have a plan for every single type of scenario and every single nuance. But we’ve seen something similar. And let’s think about how we handled that and what we could kind of anticipate or plan for. And then that way you’re almost maybe halfway to what the answer looks like and you’re only having to kind of improvise the other half. I had a leader in my previous life who said he was in the military and he said we practiced for everything because you have absolutely no idea what you’re going to face. He said, but you do know that you’re never going to practice the real scenario, meaning the military practices scenarios all of the time knowing that they’re never going to actually practice real life. But at least by practicing all the time, they’re able to make kind of quick decisions and prepare to your point for something that’s at least similar to what they’ve seen in the past.
Courtney Guss [00:26:49]:
And I think we kind of have to take the same mindset in cybersecurity in that we won’t be able to plan or practice for everything. But at least practicing something gives us an idea of what it might look like or even what what it might partially look like. I also think there’s a law of diminishing returns on creating too many plans and playbooks. So I think having high level plans that walk you through certain types of scenarios at a high level, but give you enough wiggle room to make pivots or changes where you need to during the real life issue is important. I think having a hundred playbooks that are so detailed and so scenario specifically to your point is it’s really not going to align with what you see in real life and probably not worth your time and effort.
Karissa Breen [00:27:32]:
Okay, I now want to just slightly move and talk about maybe blockers. So I’m aware that you say that it’s not really just about headcount, but it’s more focused on communication, which I find really interesting, and then tool overload. So maybe pack this a bit more. What does this look like? What are you seeing during a really stressful incident?
Courtney Guss [00:27:51]:
Oh, communication breakdown and lack of connected communication tools is probably one of the biggest issues. So sometimes depending on the impact to the business, networks go down, systems go down and you don’t have access to your phone books or contact information and you don’t have access to a secure communication line. So oftentimes as organizations, we use video conferencing tools. There’s a million on the market, but those are oftentimes connected to the network and to our other single sign on systems. And so the integrity of those systems could be compromised as well as just the general access to those systems. So teams tend to revert to using cell phones or personal email. You’re pulling in business units that don’t normally have to respond in a crisis. You’re trying to get a hold of business unit leaders or even your leadership team who have confidential contact information and you’re just scrambling just to try to get ahold of people.
Courtney Guss [00:28:44]:
And so communication becomes a real challenge. And secure communication, I think, is really important because you don’t want the threat actor or the external actor to be on any of these communication channels or lines either. So how do we get everybody away from compromised communication channels and get everybody onto the same communication tool? That has become a huge challenge, especially when you’re working in siloed business operations and then really just pulling everybody together in a coordinated fashion then so, you know, do you understand your role and responsibility? Or I need you to carry out this task. Once you’re done with that task, do you know who to report back to or how to report back? And all of these things are happening very, very quickly. And it just can become very challenging to manage when. When everybody’s disconnected.
Karissa Breen [00:29:30]:
Okay, this is interesting. So going back to. All right, so for example, I used to have two phones. It’s too heavy and annoying to carry two and charge them. Now I just have one just say that had an issue. I probably only know two people’s phone numbers, which is my mom and my dad, because I’ve been memorizing it. Other than that, Courtney, I don’t have people’s numbers written down. Like, we’re not in the 90s.
Karissa Breen [00:29:52]:
So how does that sort of work then? Especially like, if you’re kind of contact your boss. Like, you wouldn’t even know the first couple of digits of that number nowadays because it’s in the phone and you forget about it. It’s not like before when you used to physically dial someone up. So how does that sort of go then when you can’t even make basic contact?
Courtney Guss [00:30:11]:
Oh, it. I mean, everything stops. Right. And to your point, I don’t know anybody’s phone numbers either, let alone external parties. So one of the first things you have to do as part of your planning is pull together critical contact information. So along with your playbooks that you have, hopefully, you know, offline or out of band, you need to have contact information. So when you have those decision points and you need to make phone calls or you need to have people make a decision, you have a way to get a hold of them. And I think oftentimes we just completely forget to pull that information because it’s so easily accessible when all of our systems are up and running.
Courtney Guss [00:30:46]:
And so we’ve spoken with a couple of incident response firms, and they tell us one of the biggest issues when they walk in to help a customer get the business back up and running is they don’t have any way to contact anybody. There’s no phone book, there’s no contact information. So they’re even starting kind of behind the eight ball. So I think having that information available in some format, whether it’s an out of band platform or whether it’s printed out, whatever it is that you can do to get that information in one place and secure is important. Worked with an organization that needed to get ahold of the board, but that’s highly sensitive contact information and no one had it. So it was just one of those things where everyone was a bit paralyzed for a minute. So having that’s really important. And then having your external stakeholder contact information is important as well.
Courtney Guss [00:31:31]:
So cyber insurance providers, your incident response retainer firms, your third party legal counsel, again, these are contact information that’s typically stored on the network. You want to make sure that you have all of that because some of those phone calls have to be made immediately, otherwise it changes the way those firms can respond and you don’t have time to miss that step. It’s very, very critical.
Karissa Breen [00:31:53]:
So going back to the example around the board, because they’re obviously so sensitive, no one had the numbers. What happened then? How do they get a hold of these people? They tweet them what happened? Did they go on LinkedIn and say, hey, we’re in a bit of a crisis. Can you respond?
Courtney Guss [00:32:06]:
LinkedIn, personal email, if people had it. I think the CEO had a couple of phone numbers on his cell phone and his personal cell phone. But it was definitely a phone tree effort to get a hold of some people, getting a hold of one board member to get a hold of another. So to pull everybody together on one phone call probably set the team back six to eight hours of research and work just to get the numbers, just to get the phone numbers and get people on a phone call. Yep. So when you work with a team and they tell you, oh, we can respond and recover in 24 to 48 hours, oftentimes it takes that long just to pull everybody together.
Karissa Breen [00:32:41]:
Wow. Yeah, well, I guess it depends on the size of the company. I mean, I’ve also spoken to people on the show around how they disseminate that. So for example, do you have any sort of insight around just say I’m working a 50,000 person organization, size of a bank, and then something happens and then just say, hypothetically, we have some key people’s numbers. But how do you sort of disseminate what’s happening down to people that are on the front line, that are in the middle management head office what would be sort of a high level approach to make sure everyone’s across it if there’s no email that they can’t access, et cetera. In terms of work email, yeah.
Courtney Guss [00:33:17]:
A lot of organizations are getting better at having kind of emergency communication tools like blast, SMS and things like that. You have to be cautious as to what you send in those because you don’t want them sharing information. Employees sharing information externally if it’s not public facing and you don’t want somebody to get that text message who is a former employee who might share information that you don’t want out of the organization. But even just letting them know that you’re aware of the incident and that the team is working to try to restore services as quickly as possible. Maybe make some, you know, a statement along the lines of don’t make external statements at this time as we work through this, or if you have questions, please contact us, you know, at a specific number or email address. All of those things can go a long way at not only easing concern on the employee side, but also just letting them know that someone’s working on this, the company’s aware of the situation, and pause. You know, don’t do anything until we give you the next set of instructions. And I think that kind of communication goes a long way.
Courtney Guss [00:34:18]:
You don’t even have to share what’s going on. You don’t have to share any specific details. You probably don’t know any specific details yet anyway. But just letting them know that you’re aware and you’re working on it, I think goes a long way. And then periodic updates. I think we’ve seen organizations recently in the news who have done a really good job at just providing an update every couple of hours. Hey, we’re still working on it. We know that things are not working the way they should.
Courtney Guss [00:34:43]:
We’re not 100% sure what’s going on, but we’ll continue to keep you updated. That doesn’t really tell me anything, but for some reason it puts me at ease. And so I think things like that go, go a long way.
Karissa Breen [00:34:54]:
Yeah, that’s a good point because I think it’s giving people assurance. So what I mean, the example that comes up in my mind, I don’t know if you purchase UberEats, but the other day I did. So it’s like it tells you each step of the way where it’s at. But hypothetically, if I just sort of said, oh, I’ve want some food and then I just never heard from anything, you’d be A lot more like alert, like, where’s my food? I’m starving. There’d be a lot more questions. But it tells you, like, we got your order, we’re preparing it, Someone’s picking it up, Someone’s picked it up. Someone’s driving to your house, they’re still driving to your house. It gives that layer of, I know where it’s at, and therefore I’m less reluctant to be stressed about what’s happening.
Karissa Breen [00:35:32]:
So would you say people fail on. Even if there’s no update, there’s still an update to say there’s no update. Do you think people are not doing that because they don’t. Because they’re like, well, there’s something to say, so therefore I’m not going to say anything.
Courtney Guss [00:35:45]:
I do. I think there’s almost two sides to that coin. I think we do oftentimes just forget to give people some kind of an update. To your point, something that says we’re working on it, but we don’t have an update is better than nothing. And then I think the reverse side of that is sometimes organizations come out too soon and give too much information and almost overshare to the point where it sets unrealistic expectations for consumers or external stakeholders as to what they know or don’t know and where things are at. I think you’re almost better off saying, we’re aware there’s a situation. We’re not 100% sure what’s going on with it, but we’ll continue to keep you updated as we learn more, versus saying, we’re very confident that it’s this and this is how we’re going to solve it. And then you find out a week later that that was unfortunately not the right information.
Courtney Guss [00:36:34]:
That almost leaves almost a sour taste in people’s mouth rather than, to your point, constant updates and just kind of understanding where things are at. And you’re also probably less likely to call and ask questions or almost bog down the system. If you have a way to kind of understand where things are at and that things are moving, that assurance you’re talking about.
Karissa Breen [00:36:53]:
So generally speaking, you say, Courtney, that most, you know, planes sort of fail, what would be the key? What would you attribute it to? The communication? The, you know, the. Don’t even have anyone’s basic phone numbers or. I know it’s probably all of the above, but if you were to weight it, what would you say is the main indicator to why a lot of these plans sort of fail?
Courtney Guss [00:37:14]:
It is probably all of the above, but I think that having Kind of a single source of truth or a single repository with all of your documentation that’s accessible during an instance or an issue is probably the first place we fail. It’s such a foundational element. It’s the basics, right? Getting the phone book, getting the playbooks, getting some clear decision points into a folder that everybody can get to is probably the easiest way to provide guidance and a roadmap. If the group comes together and has no idea what they’re doing, at least they’ve got a roadmap. And so having that I think is probably our first point and our first foundational point that we need to really focus on. Because from there people can figure it out. We’re smart, we’re resourceful, people can work through documentation and follow instructions even if they’re unsure. But without those key critical pieces, you have people kind of self appointing themselves as leaders as decision point makers.
Courtney Guss [00:38:10]:
And all of that has to be accounted for at the end of the incident. And then from there it’s how are we going to communicate? What are the tools we’re going to use to get a hold of each other now that we’ve got the phone book, do we use personal phones? Do we have another out of band solution? And I think once you’ve got the roadmap and you’ve got a way to talk to each other, you could probably solve the rest of it.
Karissa Breen [00:38:31]:
So then lastly, Courtney, I’m really curious then to understand companies who are sort of building their plans around assumptions. So what’s one assumption that you just throw out today?
Courtney Guss [00:38:42]:
Well, that people are ready, that people are confident. I think doing a tabletop once a year does not build the confidence that we expect in the event of an actual response, crisis response or incident response. And I think assuming that people understand their roles and that they’re ready to perform those decisions or those roles is just a complete misnomer. People are not and oftentimes forget what their roles and responsibilities are from one exercise to the next. Like you said, we’ve got day jobs, we’re very busy, we’re resource strapped. And so to assume that people are ready and they can jump in at any moment I think is just a really unrealistic expectation to have.
Karissa Breen [00:39:20]:
And Courtney, do you have any sort of final thoughts or closing comments you’d like to leave our audience with today?
Courtney Guss [00:39:26]:
I think the hardest part in what we do is knowing where to start. Yeah, I laugh a little, only because I think after our discussion today, a lot of it can feel really overwhelming. And I think organizations oftentimes get discouraged and they’re not sure where to start. And so it’s easier just to say, well, we think we’re ready. I don’t want to say put our head in the sand, but just kind of put it off for the next exercise. And I think it’s really important to be thinking through these things all the time. Anytime that we’re implementing new technology, we’re bringing new people on board. How does this play into our crisis response and incident response plan? What are the decisions we should be thinking of now in case we have to bring these systems back up? I think having the crisis response and recovery plan as part of your implementation plan just helps bring all of that together.
Courtney Guss [00:40:13]:
But that comes with time and maturity. So I think not being afraid to dig in and get started and build that foundation is good and not a good Ignoring it would probably be my only other thought.