www.informationweek.com
You hear this mantra in cybersecurity over and over again: Its not if, its when. Data breaches, ransomware attacks, and all manner of incidents abound, it seems like disaster lurks around every corner. The prevalence of these incidents has shifted the CISOs emphasis from prevention to resilience. Yes, even the most prepared enterprises can still get hit. What matters is how they bounce back.Todays CISO role has disaster recovery baked into the job description. How can they cultivate that skillset and use it to guide their organizations through the fallout of a major cybersecurity incident?Defining Critical Disaster Recovery SkillsDisaster recovery has become an essential part of the CISO role. In cybersecurity, we live in the world of incidents, whether it's someone clicking on a phish or someone plugging in a USB drive, or someone who's conducted fraud against your company, Ross Young, CISO in residence atventure capital fund Team8, tells InformationWeek.Incident response and disaster recovery go hand in hand. Some of the best CISOs are some of the best understanders of disaster recovery efforts and apply those in their own security response plans, says Matt Hillary, CISO at compliance automation platform Drata.Effective disaster recovery requires both technical skills and human skills.Related:On the technical side, CISOs must understand how each part of the technology stack is used in their organizations and how that technology impacts the CIA triad: confidentiality, integrity, and availability.A lot of that technical work is going to be driven down to the engineering level. Ideally, the CISO will have done the right work to bring in the right talent and drive the technical remediation, says Marshall Erwin, CISO at Fastly, a cloud computing services company.CISOs also need to be able to put themselves in the mindset of attackers to understand their goals and what they could be doing once inside the network. You can say, Team, here's where we need to be looking, here's where we need to point our lens and our forensic skills to identify what an attacker did to be able to make sure that we kicked them out and have cleaned up our internal network, says Erwin.But human skills are equally important. CISOs need to be able to communicate effectively across multiple teams and with C-suite peers to lead an effective response.What you feel you need to do from a security investigative perspective might be the opposite from [what] business resilience folks want to take, says Mandy Andress, CISO at Elastic, an AI search company. How do you navigate, communicate, and find the compromises.Related:A lot of that work is best done in advance of an actual incident. CISOs can add their voice to disaster recovery plans to ensure the security perspective is in place before an attacker gets inside.In the heat of a cybersecurity disaster, CISOs also have a responsibility to their team. They need skills to get them through the incident response process.It seems like every incident I've ever seen, it always happens on a Saturday when everybody's at their kids baseball game or something else. It's the most inconvenient time possible. How do you keep the positive moral? says Young.Remaining calm and decisive in the midst of a stressful situation that can last days, weeks, or even months is necessary and not without its challenges. I think there is a lot of bravado sometimes in the security community, says Hillary. I don't know if it's a mask or if it's something else that leads us to not being as human as we need to be. And so just to continue to be humble, teachable, and learn throughout that incident.Cultivating Disaster Recovery SkillsWhile people may have different career paths that lead them to the CISO role, theyve most likely worked through cybersecurity incidents along the way.Related:Incidents are frequent enough that you're going to have that experience at some point in your career and develop that expertise organically, says Erwin.While trial by fire is an excellent teacher, there are other ways that CISOs can shore up their disaster response and recovery toolboxes. Industry conferences, for example, can offer valuable training.When I was the CISO of Caterpillar Financial, I went to FS-ISAC [Financial Services-Information Sharing and Analysis Center], and they had a CISO conference where they did tabletop exercises simulating an insider threat, Young shares.CISOs can lead their own tabletop exercises at their enterprises to better understand the holes in their incident response plans and areas where they need to strengthen their own skills.Other leaders within an organization can be valuable resources for CISOs looking to cultivate these skills. One of my closest peers that I usually go to is someone who's over on the infrastructure team, says Hillary. Any kind of disaster impact or availability incident that they experience on their end, they have a plan for, they have a really good, well-exercised muscle within the organization to recover.CISOs can also look outside of their organizations for ways to sharpen their skills. Hillary shares that he always looks at other breaches and outages. I usually ask myself two questions. How do I know that this same vector isn't being used against my company right now? How do I know this same incident that this other company is experiencing can't happen to us? he says. So, it helps drive a lot of preventative measures.Navigating DisasterIn a world of third-party risk, human error, and motivated threat actors, even the best prepared CISOs cannot always shield their enterprises from all cybersecurity incidents. When disaster strikes, how can they put their skills to work?It is an opportunity for the CISO to step in and lead, says Erwin. That's the most critical thing a CISO is going to do in those incidents, and if the CISO isn't capable doing that or doesn't show up and shape the response, well, that's an indication of a problem.CISOs, naturally, want to guide their enterprises through a cybersecurity incident. But disaster recovery skills also apply to their own careers.I don't see a world where CISOs don't get some blame when an incident happens, says Young.There is plenty of concern over personal liability in this role. CISOs must consider the possibility of being replaced in the wake of an incident and potentially being held personally responsible.Do you have parachute packages like CEOs do in their corporate agreements for employability when they're hired? Young asks. I also see this big push of not only CISOs on the D&O insurance, but they're also starting to acquire private liability insurance for themselves directly.Andress shares that she is seeing CISOs be replaced less often. More often it's a recognition of underinvestment. And so, what I see more of is an increasing investment in the security program after an event or incident occurs, she says.After each incident, CISOs have the opportunity to learn about the strengths and weaknesses in the enterprises security and incident response plan, as well as in their own skillsets.For Andress, one of the biggest lessons has been to focus on the people involved in incident response. Everyone's looking at the technology. Everyone's looking at communication plans, but there're people working a lot of hours. How do we make sure that they're taking breaks? Getting rest. Getting fed, she says. If you want to have a strong and successful response making sure that you're focusing on not just the technology and the process aspects but really focusing on the people as well.