The SEC & NIST have issued new mandates regarding cybersecurity due diligence. This impacts the way you do Tabletop Exercises (TTX).
Your TTXs are going to have to conform to the new mandates: “Strategic”, “Risk Based”, and “Business Aligned” beyond the typical “standalone technical lifecycle” approach. (See NIST 800-61r3) The SEC now requires Board of Director (BOD) oversight of your “material” cybersecurity risks.
Your TTX’s need to align with these new requirements. You should still test out your technical team and their response, but your TTX scope needs to expand significantly.
Some observations from performing almost weekly “management” TTXs for technical, executive, and Board level management for the last decade:
- Misalignment
- “Business Extinction Risk” discoveries occur 6-12 times a year. The TTX would elicit these epiphanies from the management team. During the technical TTX that followed, the IT/InfoSec group had NO IDEA. These qualify as “Material” risks to the organization.
- The CEO/BOD have a different view:
- CISO says availability of the website is #1 priority, but CEO disagrees: “We will survive an outage, but our clients will dump us the minute we are seen as a significant third party risk to their employee’s data.”
- The CEO/BOD have a different view:
- The DR strategy has a 3 week recovery objective, but the CEO says they will be out of business if they are down for more than 2 weeks.
- As with every CIRP I develop, we conducted a TTX/”Walkthrough” with the management team and named participants of the CIRP. As we were reviewing the Cyber Risk Narrative, the CEO noticed that we had not included their recent (4 months prior) acquisition of a “service” company so that they could monitor/service their products real-time in their customer environments. The Target PCI breach by an HVAC vendor was cited. Should this risk manifest, there were reputational and litigation implications. The CEO stated that the company incurred a significant amount of debt in order to purchase the company, and there were revenue expectations that needed to be met. Life safety concerns were also considered remote, but still a possibility. We added this additional Use Case to the CIRP. Subsequent CIRP updates affected: Incident Thresholds, Containment Plans, Cyber Insurance Integration, notification obligations, and included a unique Roles & Responsibilities table and narratives for this specific risk.
- Your Annual Report details dozens of cyber risks & obligations
- At a minimum, you should be validating these risks and ensuring your InfoSec program is aligned with them.
- BOD’s are detailing their expectations / responsibilities in the 10-K.
- Should any of your efforts be deemed insufficient by regulators or private litigants, the organization could face significant consequences (e.g. litigation).
- TTX’s are focused on threat scenarios and not business objectives
- The scenario is merely a tool to “herd the cats”
- Advise participants not to let the scenario limit their thinking/comments
- Avoid detailed, “Color by numbers” slides / scenarios
- “Fog of War” & “Friction” are common problems in a crisis
- A “walk in the meadow” versus “follow the breadcrumbs”
- LISTEN to management’s fears/concerns/expectations
- Focus on the decision making process
It is a rare privilege to have the opportunity to rehearse for a crisis. While TTXs are an annual requirement for every InfoSec framework, the opportunity to have the undivided attention of your Executive Management team, to update them with current threats, to see if any of their concerns have changed (assuming you already know their concerns), and to refresh the “muscle memory” of the team responding to crisis is invaluable.
I have been successful at the Management level TTXs because I invest a significant amount of time learning about my clients and helping them prepare for the TTX. My ultimate objective is to prepare your team to be successful during an actual crisis (i.e., give an “open book test”).
With over a decade of performing management level TTXs, the following are some top Management TTX objectives:
- LISTEN to the BOD/Executive Management team as they think and talk about their fears and expectations. Is there a shared Cyber Risk narrative?
- DUE DILIGENCE: what has the organization committed to in its 10-K?
- REQUIREMENTS DRIVEN EXECUTION: Who will “do” these commitments.
- VALIDATE this is captured within the organization’s documentation / consciousness.
- TRAINING / COACHING: Cybersecurity concerns are constantly evolving.
- “OPEN BOOK” test/”walkthrough” should some of these fears/risks manifest.
- LESSONS LEARNED: Manifest, track, and execute improvements.
While there still is a place for “Technical” TTX’s, it is a rare opportunity to get your BOD and/or the senior leadership team in a room at the same time to focus a couple of hours (of extremely valuable time) on their cybersecurity risk management duties.
And while your typical Technical TTX focuses on the scenario, Management TTXs should start by focusing on Objectives.
- Board of Directors
This can be either a formal “TTX”, or more of a coaching/ teaching event.
Objectives typically include:
- Understanding BOD due diligence as per NACD, OAS, and any recent documentation (e.g. UK Cyber Governance Code of Practice).
- Review of your organization’s publicly disclosed Cyber Risk Narrative & Cyber Security commitments (10-K). Consider comparing it to a “Near Peer”.
- Leveraging industry frameworks to assess “Are you doing enough?”
- Reviewing your policy documentation / execution
- Reviewing BOD expectations of the Executive Management Team during an incident
- Executive Management Team
Objectives typically include:
- Validation/ Development of the Cyber Risk Narrative.
- Decision making
- Friction
- Fog of War
- Requirements Driven Execution:
- Business focused:
- Statutory, Contractual, and Internal Reporting
- Brand/ Reputation protection
- Potential litigation considerations
- Integrating your Cyber Insurance
- Proactive measures to minimize potential impacts prior to and/ or during a cyber event
- Business focused:
- Technical Management Team
Objectives typically include:
- Whether your efforts and focus are aligned with the Cyber Risk Narrative
- Requirements Driven Execution
- Division of Labor considerations
- Management reporting
- Knowing what “normal” looks like (i.e. “Context”)
- Proactive actions, including Containment Planning
Once you have identified your objectives, you need to then build a scenario that will assist you in achieving your objectives. I have used the following approach for over 400 management TTXs:
- Start “big” and end “small”. Think of a cone. Start with contemplation of what the worst could be and end with an inject that mandates specific action(s).
- The goal is for the team to evaluate actions at each step/inject as the problem becomes more “real”/significant.
- Focus on the decision making process
- Speak in business terms not technical.
- Keep the slides simple and use verbal cues to “heard the cats”.
- Don’t provide slides with answers. Use the speaker comments to store that information and provide verbal cuing as needed.
- Your job is to facilitate thought & conversation amongst the business leaders, so they are invested in their answers that are specific to their business needs.
- The TTX should focus on identifying gaps/problems. Be judicious with the time you spend on solving the problem(s).
- Be flexible with your scenario during the TTX. It’s just a scenario. Like orange cones at your child’s soccer practice. Herding the cats…
- Don’t let the scenario LIMIT conversation. (e.g. “I know this is a ransomware TTX but what about…”). Especially if this is something the CEO/BOD sees as a higher priority.
Not a “gotcha” event but rather an opportunity for the collective to work their way through a potential problem(s). “Open Book” test type of thing.
One last thing: TTX’s are often characterized as a “test” or “exercise” of your IR efforts which manifest in your CIRP. But they are also a great tool to develop/refine/validate your entire InfoSec program.
Reach out if you have any questions…