Outside, a hostile camera crew surges the forecourt of company headquarters, clamouring to discover more. Inside, senior executives huddle round the boardroom table, barking orders at the security team live on the big screen. This is not a real life crisis, it is a drill, designed to feel exactly like a security breach and Jerry Dixon, CISO at endpoint protection company Crowdstrike, says they are becoming increasingly commonplace.
Dixon describes himself as a “typical CISO with an internal focus” when I meet him for coffee at the Soho Hotel in central London. The only difference is he is based in a security company which, having held similar roles at American Express and Cisco Systems, makes it a little easier, he says. You don’t have to explain the risks so much. “Employees [naturally] have a higher level of understanding” and raising awareness is also baked firmly into HR processes.
Yet Dixon believes the CISO role is changing. A lot of organisations are now building cyber crisis management plans and this means the CISO often becomes the chief incident manager, sometimes in conjunction with the legal department. In practice he or she must therefore work with each line of business to come up with a viable incident response plan. And then test it.
This is where the ‘fire drill’ scenario comes in and Dixon says this is fast becoming standard practice in regulated industries like financial services although it is still less utilised elsewhere. Sometimes this originates from the legal department and sometimes the CISO, he explains, and it often comprises of small quarterly drills followed by a big annual one. “It is a stress test for everyone,” he adds, and it is followed by a report which presents actionable insights into areas of strength and weakness.
In practice a facilitator comes into the organisation and presents a “worst case” breach scenario to the business. This service is now offered by a lot of major consultancies, says Dixon. It is a growth area in professional services and a lot of practitioners come from a government background where this approach is standard, he adds.
As the drill develops, the security team have to make technical decisions, often around the forensic process, and sometimes around the data itself. While senior executives need to make fundamental choices – like whether to shut down the business – as well as deciding what core messages to deliver to external entities like the press.
This type of cyber crisis management is becoming so critical, says Dixon, that some organisations are beginning to merge physical and cyber crisis management into one. A lack of clear cyber plan can increase legal risk, he concludes. It can start discussions around negligence and also factor into cyber insurance premiums.
From insular US firms to spammy marketers: Who will GDPR hit the hardest?
Does the CISO role need to be formalised?
First board level cyber training due to launch in Feb
What will the ‘mega security breach’ of the future look like?
What will be the single biggest security threat of 2017?
Fleeting strategic importance? 2016, the year of the CISO
Adrian Schofield sheds light on tech in South Africa
Mark Chillingworth on IT leadership