At the recent ISSA International Conference in Dallas, SearchCompliance editor Ben Cole met with conference speakers to discuss cutting-edge information security strategies to offset the numerous data threats facing companies today. Two of these speakers were Stephanie Ewing-Ottmers, a cyber exercise consultant at Delta Risk LLC, and Chris Evans, VP for advanced cyber defense at Delta Risk. San Antonio-based Delta Risk LLC is a Chertoff Group company that provides risk management and cybersecurity services to commercial and government clients worldwide. In this Q&A, Ewing-Ottmers and Evans discuss infosec training best practices that large and small companies alike can consider to help protect their data.
What types of cybersecurity exercises do you think are most effective to help companies improve their infosec training?
Stephanie Ewing-Ottmers: As I work with clients around the nation in different sectors, we typically recommend two buckets of exercises. Most organizations are very interested in doing discussion-based, tabletop exercises where we get a group of folks around the table face-to-face to talk through procedures and issues as they would apply to cybersecurity events. For companies that are wanting to take a little bit more of an advanced approach, we also recommend working on functional, operational exercises where they can get a bit more in the trenches of their procedures, a bit more hands-on, and put end-to-end processes of their incident response plan to the test. Ideally, a combination of those will work, if they have the appetite for it. But at a minimum, tabletop exercises on a regular basis are helpful.
How often should companies hold those exercises? Should they be done frequently because the threats evolve so quickly so they need to keep up to date with the infosec training?
Stephanie Ewing-Ottmerscyber exercise consultant, Delta Risk LLC
Ewing-Ottmers: Like you say, the threats really are evolving, so it is a good idea to refresh those scenarios and types of events that they're practicing. At the end of the day, the incident response plan is the main thing that we recommend that the organization practice. If you're refreshing your incident response plan, an exercise is a great way to put it to the test. If you're looking to refresh the organization's incident response plan, going through an exercise is a great way to determine stuff that's not working anymore. It kind of really depends on a combination of upcoming threats, but also where you are at in your incident response planning and how you want to update it as to the frequency of exercises in your program.
Insider threats continue to be a huge threat to companies' information security. What types of exercises do you think can help better train personnel about their role in information security?
Chris Evans: For insider threats, I think any exercise that you can do using the insider threat as a scenario element or a key component of that scenario element is a good thing. For example, you could do a tabletop exercise talking about how your organization would respond to an insider threat from a security, HR, legal, crisis communications standpoint. You could go completely opposite spectrum as well, throw the kitchen sink in and do an operational exercise where you've got a live red team that's emulating an insider threat on your network. To address the insider threat concern specifically though, you've got to be able to test it, you've got to be able to see how your organization responds to that. A great way to do that, and to get confidence in your ability to respond to that, is to run these exercises with the insider threat as a scenario element.
For smaller businesses and companies with smaller security budgets, are there low cost but efficient cybersecurity exercises that can still help them improve their information security and information security processes?
Evans: Absolutely. The nice thing about cyber exercises is that they can scale. You can have really low-key, simple-to-plan exercises that are just a bunch of folks sitting around the table talking about how they would respond to something, all the way up to, again, those functional exercises where you have perhaps a live red team, you've got actual stimulus on the network, with people reacting to it. For small to midsize businesses, it's great to start with a simple discussion. Start with a tabletop exercise around a key-risk scenario. Pick the one thing that keeps you up at night, look at it from the standpoint of how would you respond to it? You sit down at the table and go, 'okay, this just happened to us' -- whatever that key risk concern is. Then you start talking about, well, what do we do? What are our processes? Who's responding to this? Do we have the people in place to do it? Do we have the technology? Do we even have the skills to do this? A simple discussion is a great way for small companies to get involved with exercises and get started with it.