Tabletop exercises or simulations can be daunting and scary. Join me as I sit down with Sarah O'Kelley from Choice Cyber Solutions as we discuss some tips and tricks to success with your first Tabletop.
[00:00:00] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges,
[00:00:14] solutions, a journey together, not alone.
[00:00:20] Welcome everybody to another episode of MSP 1337. This week we are running a little behind
[00:00:27] schedule. It is Wednesday on a normally released Tuesday schedule, but I have been fortunate
[00:00:33] enough to find some time on Sarah O'Kelly's calendar.
[00:00:38] Hey Chris, good to see you again.
[00:00:41] So it's been a little while. You always bring great content to the show and you know
[00:00:46] recently we were at CCF and you facilitated and helped a bunch of solution providers navigate
[00:00:55] the tabletop exercise and in reviewing some of the stuff that we got from feedback from
[00:01:03] that event and talking to some of the solution providers over at MSP Ignite. In fact they've
[00:01:09] asked that I put together sort of the same slide deck for a town hall to just talk through
[00:01:17] some of the key components of a tabletop exercise and really we don't even have a plan to do
[00:01:23] a simulation of any kind. We're just going to talk about definitions and why roles and
[00:01:28] responsibilities are so important in that planning and putting together tabletop exercise.
[00:01:34] But before we get into some of those pieces, Sarah I thought it would be a good idea actually
[00:01:39] per year's suggestion to talk about what how do we get to that tabletop exercise? What
[00:01:47] are the things that we need to think about and I think to some extent overcoming the objections
[00:01:51] around, well we don't need to do one of those. We're fine. And I think even remembering that it
[00:01:57] doesn't have to be a cybersecurity incident scenario. It could be you know fire drills or
[00:02:06] first-person shooter hurricanes floods all kinds of stuff can fall into this and really understanding
[00:02:12] things like the responsibility matrix and some of those things. So talk me through a little bit
[00:02:17] how you approach risk like more from the beginning. What gets you started on this conversation that
[00:02:23] you would have with a client or even internally at choice cyber? So many people approach incident
[00:02:32] response because they have to. So you know depending on what compliance framework that I have a
[00:02:38] client working with like in this day 171 or CMMC client there is specifically a control that says
[00:02:44] that the incident response plan must be tested on an annual basis. So so that's the driving factor
[00:02:51] for some clients but really I think it loses sight of incident response and business continuity or
[00:02:58] disaster recovery which are some of those other items that you mentioned. These are really tools to
[00:03:06] help the businesses resilience in times of turmoil. You know the same as you would have like a backup
[00:03:13] server for your for your confidential data to live on just in case something happens. A tabletop
[00:03:20] exercises a way to kind of test to drive the company's response to an incident or a disaster
[00:03:29] and kind of test out not necessarily whether you do all of the steps correctly but do you understand
[00:03:38] the order of operations? What is your internal communication during those times look like? Who are
[00:03:45] the decision makers that need to be at the table? Who's the backup if that decision maker is not
[00:03:51] at the table? The goal of it is to make sure that if and when an incident or disaster happens that
[00:04:00] the team can actually effectively navigate that with as little additional stress as possible.
[00:04:07] Because we know that they're by nature stressful it's either your company is in jeopardy,
[00:04:12] your well-being is in jeopardy people lose their brain when those things happen and the way that we
[00:04:20] future-proof is to practice you know the process frequently enough that it becomes a little bit of
[00:04:28] second nature to us. So with that in mind does that get into things like so we obviously the one
[00:04:35] if those are you listening were at CCF we did one that was talking about ransomware and we were
[00:04:40] talking about some of the responsibility the responsibility matrix a little bit like it was it was
[00:04:45] about a ransomware incident that targeted an RMM vendor and it was an actual scenario that took
[00:04:53] place that was out of Sissa but like along those lines we're talking about at this level from an
[00:04:59] internal perspective who are the people that need to be at the table so for the exercise like you
[00:05:05] know fill in the blank CEO or whoever it might be. But then I think to your point like if the CEO
[00:05:12] isn't present who's next? I mean even going so far as like thinking about how our governments run
[00:05:18] here in the US were thinking about things like if the president's gone then the vice president
[00:05:23] takes over. The vice president's over so on and so forth until you've moved all the way down to
[00:05:28] like the housing secretary and there's a continuous pattern and for anybody that's ever watched
[00:05:34] designated survivor knows that there's a plan of action to put those different people into scenarios
[00:05:43] where they aren't at the same place at the same time so that they can say well yep the whole
[00:05:49] leadership team's gone right. So creating an incident response plan which is separate from a policy
[00:05:57] so I want to make sure that like folks who are listening understand that your IR plan is essentially
[00:06:03] your runbook it's the order of operations. Your policy kind of dictates what should be happening
[00:06:09] but your IR plan should have a primary and secondary for every step of it. I also highly recommend
[00:06:15] people including in their incident response plan who is your contact or your cybersecurity insurance
[00:06:21] company? Who is your legal contact? Who is your PR or your marketing person? Because those are all
[00:06:26] people that we might not think of being IT focused as required for an incident response but the reality
[00:06:34] is that quite frequently you know those people have a lot of weight that they need to add in terms
[00:06:40] of like bigger picture not just the incident but how is the company presenting it? What is the legal
[00:06:47] obligation of the organization? Who keeps an eye on the client's contacts? For you know like okay we
[00:06:55] had something that we reasonably suspect to have been a breach in the data of one of our clients.
[00:07:01] What is our contractual obligation to notify that person? Sure. So these are all people that need
[00:07:06] to be informed or have representation in an incident response tabletop exercise because they will
[00:07:14] have that impact when an incident actually occurs. Let me ask you a question you made me think about
[00:07:20] you mentioned like you know notifying insurance or PR or some of those things it makes me think
[00:07:25] about like if I was looking at my insurance policy for cybersecurity as an easy one I shouldn't say
[00:07:32] easy but I was looking at that policy you know what are the terms of engagement that I have that I
[00:07:38] may not be aware of you know things like if we have determined in fact that we have an incident
[00:07:44] on our hands. What are the steps that come next? Does everybody understand what those steps are
[00:07:50] because as soon as you engage insurance or as soon as you invoke attorney client privilege
[00:07:57] now now a lot of things have changed and a lot of risk has now been potentially added to the
[00:08:02] equation around your company and the survivability of this event that's taking place. Right yeah there's
[00:08:10] a legal obligation that happens when you declare an incident. Right so one of the ways that I suggest
[00:08:19] that clients or MSPs who are holding in cybersecurity insurance proceed with this is to specifically
[00:08:25] ask their legal counsel and specifically ask the cybersecurity insurance company. Do they have a
[00:08:32] runbook that is their suggested process? From the legal standpoint asking your cyber or excuse me your
[00:08:42] legal contact what order they suggest do they want you to call them first and then the
[00:08:48] cybersecurity insurance company. Sure. But understanding what the impact of that's going to be so
[00:08:54] that you can then determine at what point in the chain does that decision happen? Right and
[00:09:01] in exactly who gets notified in what order. Again part of your incident response plan but we
[00:09:07] generally don't think of that and frankly if most companies had an incident tomorrow there would be
[00:09:14] a lot of scrambling to figure out who's supposed to get notified first. Well it makes me think like
[00:09:20] one could do or lack of a better word a tabletop exercise that just says how do we communicate?
[00:09:27] An incident has occurred so the we're going to go through this scenario the scenario is really
[00:09:31] advanced it's very sophisticated there's been an incident and leave it at that like we're agreeing
[00:09:38] that an incident is significant we're agreeing that an incident requires getting out the playbook
[00:09:44] and it requires us to go through the steps in there that say hey step one step two step three
[00:09:51] from where I'm sitting it sounds like that's something that all organizations should be doing
[00:09:56] potentially more frequently than once a year because you're fluid within an organization you know
[00:10:02] vendor A and vendor B may not be the same anymore. You may have changed insurance providers since
[00:10:07] you know 45 days ago for whatever reason or you've added a new policy that you know helps you know
[00:10:13] layer on top of your existing insurance maybe just added a PR reputation rider or something along those
[00:10:20] lines so it sounds like one could really boil down a tabletop exercise to I don't want to call
[00:10:27] it trivial but like to just say hey we're going to have a tabletop exercise that just looks at the
[00:10:32] communication plan because an incident has happened regardless of what kind it is. You'll test out
[00:10:40] ideally if you're running the tabletop exercise correctly or if you're whoever you're having come
[00:10:47] in and run it correctly you'll be testing that conversation process out because when you're doing
[00:10:56] a tabletop exercise as the facilitator part of your job is to ask questions. Sure. So one of my
[00:11:02] favorites is like okay you know there's an incident how are you alerting people and I'll have
[00:11:09] clients that will say like oh well you know we use Microsoft Teams I'm like okay Microsoft's totally
[00:11:13] down. Sure. You know what we call each other okay do you have a phone list? Yeah we use Microsoft
[00:11:20] Teams. You know so it's sometimes it's literally kind of coming in like how are you communicating
[00:11:26] in this that you have a backup option. You know do you have a second way of reaching people?
[00:11:34] Do you have a printed copy of your incident response runbook in your office because if Microsoft
[00:11:41] is down or if your if your file server is down and that's where you stored your one copy
[00:11:47] of your incident response plan everything's dead in the water at that point so some of it is the
[00:11:53] art of asking the what if. Sure and the what if being a realistic what if because we've all seen
[00:12:00] you know scenarios from Microsoft or Google or somebody's down and that's where we store things
[00:12:04] you know it makes me think about um you know the questions that often get asked if I was client
[00:12:09] facing and they're like so do you use this fill in the blank vendor or service and I think this
[00:12:14] is an interesting scenario where you know a defendable answer would be like we don't use that particular
[00:12:20] vendor because in the event that you were to go down from vendor a b or c we're using a different
[00:12:27] product or service now this obviously doesn't apply to every product or service but it's an example
[00:12:32] of like hey um we're using fill in the blank service provider for phones or fill in the blank
[00:12:37] or maybe we have our region set differently than the majority of our demographic for our end user
[00:12:43] clients because that way if they are impacted we're the core for all of their activities
[00:12:49] and now we're still able to you know handle that communication plan or facilitate some things
[00:12:55] that they may not was it gets into a lot of opportunity conversation around well hey you know what
[00:13:00] you're right redundancy is kind of important like if you're serious about this yeah we can definitely
[00:13:04] recommend adding a secondary service provider or some things that would allow for like in the event
[00:13:10] that teams doesn't work or on the blank there is a plan b option that will fill in the event
[00:13:16] of failure yeah and it's interesting because a lot of times people don't realize how critical those
[00:13:23] those solutions are that they're using until we say okay that's no longer an option for you
[00:13:29] how do you conduct business how long is this going to actually stop your ability to provide services
[00:13:34] to your clients or to to generate income you know how much money is it causing you without yeah how long
[00:13:42] you do without doing those things yeah exactly so when we talk about incident response one of the
[00:13:49] things we look at is like what is the criticality of each of these systems you know if back in the
[00:13:55] day where everybody was 100% on site it would be difficult for a company to be able to recover if
[00:14:02] they only had one ISP yeah so we always used to say like do you have a backup ISP you know with
[00:14:10] with working hybrid now or working fully remote which many organizations are doing there's a little
[00:14:15] bit more opportunity for redundancy because even if you Chris can't get online because there's
[00:14:22] the disaster in your area I may perfectly well be able to do that um but it's it's it's it's the
[00:14:28] process of calling out like oh here's actually where the gaps are and you you tease some of that
[00:14:35] out ahead of time of course when when we're sitting around theoretically at a table saying like oh
[00:14:39] what are our most critical solutions but you know the tabletop is really where we get to see where
[00:14:46] the holes in that process are yeah it made me think about um you brought up you know the room
[00:14:52] with the work from home or a lot of the especially with solution providers today that whether it was
[00:14:56] before or because of COVID the employees all all work remotely and it got me thinking about some
[00:15:02] of the the safe resident the trust marks CIS in a lot of frameworks they talk about you know the
[00:15:07] business continuity of like hours out what fill in the blank and I started thinking about like okay
[00:15:13] so if I'm work I work from home and my power is out or I don't have internet where I'm located
[00:15:19] what's the plan because what if my cell service goes out with that like I'm remote enough like
[00:15:23] I don't have power here at my house I'm probably not getting very good cell coverage because I'm
[00:15:28] pretty remote so is it like is there a uh in that playbook that says oh well when Chris is no
[00:15:34] longer able to work from home his his point of contact would be and fill in the blank coffee shop
[00:15:40] or that's maybe five miles away but like in my documentation does it actually have a phone number
[00:15:47] for the business that's there because what if cell service is directly impacted on a much broader
[00:15:51] scale but I can get to the internet or I can get to some things like you know I think sometimes
[00:15:55] we're quick to say oh well I would just go work with the local Starbucks if you're in a
[00:15:59] urban setting there could be like nine Starbucks within a three block radius which one is Chris
[00:16:03] that and is that important as part of your you know continuity planning to make sure that people know
[00:16:10] like hey if I want to get hold of Chris and I know that he we both work in a urban environment
[00:16:15] and he's like yeah I'll be at Starbucks but I don't know what's one it is it may take me a while
[00:16:20] to go and be at the same location he is and we may not have that kind of time yeah yeah
[00:16:25] and that's one of the reasons why it's so important to have folks understand who it who's the
[00:16:30] backup if I can't reach Chris and Chris is one of my decision makers there really needs to be a
[00:16:37] secondary decision maker that you know we we have some resilience around can can the company move on
[00:16:43] without one person you know yeah I think it's it's a big you know we we dance around the concept of
[00:16:51] risk management but that's really what we're talking about here we're talking about in the
[00:16:55] tabletop exercise identifying not just what are the risks to the business if something goes down
[00:17:03] which really ideally should be done ahead of time and as part of your your business continuity program
[00:17:09] but we're also looking at like what is what is the risk of some of the pieces falling apart
[00:17:16] you know do we have a single point of contact for something do we have only one person that has
[00:17:22] access to the admin panel you know these are the kinds of things that a tabletop exercise can
[00:17:29] tease out again the important piece here is the facilitation because anybody can just run the you
[00:17:37] know if you look at this as a tabletop exercise guides yeah there's all of these this is what's
[00:17:42] happening in this order but then you get into these juicy nuggets of here the here are the questions
[00:17:48] to ask here a perspective to contribute to it and so I think somebody who's got a little bit of
[00:17:54] practice with that especially somebody who's got some good facilitation skills they're kind of
[00:17:59] stepping their own opinions back and letting the group actually make the decisions and be guided
[00:18:06] in the right direction can really make this a really impactful business opportunity so
[00:18:16] we've got about 12 minutes or so and I thought it'd be a good idea to
[00:18:21] walk through some of the definitions and specifically not just the definitions but sort of the
[00:18:28] rules within doing a tabletop exercise and I think there's a lot to unpack with regards to the
[00:18:34] different rules and responsibilities with some of the things that we've talked about up until
[00:18:37] this point so there's there's basically four roles based on some of the things that came from
[00:18:44] Sissa in the exercise we did and obviously there could be more but the sort of the categories are
[00:18:50] going to be the players those are doing the tabletop exercise or going through this simulation
[00:18:55] there's the observers so I think it's important like if you only have four or five employees in your
[00:18:59] company it's not a bad idea to bring in a third party to participate as an observer to help fill
[00:19:05] in the gaps for roles that you might not be able to do by yourself and then facilitators which
[00:19:11] in the case of CCF and I think we're going to see you at ChannelCon no foreshadowing here doing
[00:19:18] something similar and then note takers and I think perhaps the most the most important role I think
[00:19:27] in a lot of these tabletop exercises is going to be that note taker because being able to capture
[00:19:33] emotion the after actions and I actually had this thought like maybe it's not a bad idea especially
[00:19:39] if everybody works remote to do some using zoom and record it be able to go back and look at some
[00:19:45] of the emotion and use some of that zoom AI note taking to help with some of this because
[00:19:50] I've done a lot of simulations and I can tell you there have been times where
[00:19:54] I really felt uncomfortable like I like even though I knew it was a simulation my brain was like wow
[00:20:00] this would be really devastating to our company if those actually happened yeah um I we record
[00:20:08] all of our tabletop exercises that we do for clients um and we make those recordings available
[00:20:14] but we also use them so that our note taker can go back through and make sure that they captured
[00:20:21] you know occasionally there'll be an offhand comment that we want to come back to we want to say oh
[00:20:27] you know Chris said you know that he wouldn't know who to call next and so we can make that an action
[00:20:34] item and pulling you know the end result of the tabletop but go through the kind of the lead-up
[00:20:41] actions that happen um you know we start the incident we we see what the aftermath is going to be
[00:20:49] and then it's the lessons learned so you know it's things like you know okay well
[00:20:56] we don't have a printed copy of the incident response so that's an action item coming out of it
[00:21:01] we have copies of that that are located in these specific areas so you know making sure that
[00:21:08] that note taker is really focused and if you don't have that note taker record it and then go
[00:21:13] back and pull the notes yourself you can do this as a one-person team if you have to yeah I
[00:21:18] I like what you said I think it's really important to remind everybody that the tabletop exercise
[00:21:24] is kind of like step two or step one and a half the after action i think is something that often
[00:21:31] gets missed like oh yeah we've referred to our implementation guide or our playbook and we've
[00:21:36] got this and like this is just an exercise and it's make believe pretend and you know on Mr. Rodgers
[00:21:42] everything ends with happy happy so like in the make believe world yeah it can be whatever you want
[00:21:48] it to be but when we go back for reality we got this and I think that's one of the things I want
[00:21:52] to point out too and you know i've talked about this before start with simple start with easy
[00:21:58] scenarios start with like I understand fully what the scenario that is taking place and impacting
[00:22:04] our businesses right now it's a possible reality now using things like oh well our MDM would catch
[00:22:10] that our xdr would catch that those are not okay things to say because the reality is this incident
[00:22:16] has happened and it's impacting your company so that means that something else has failed and to
[00:22:22] your point of saying the the xdr would have caught this well it didn't so what went wrong
[00:22:28] so circle that xdr as part of your after action in this conversation to go look like oh wait
[00:22:34] maybe it was a false positive it's been happening like over and over and over again
[00:22:38] but you categorized it wrong and so we got the xdr did catch it and then you told the xdr system
[00:22:44] that nope you're right it's it or i'm right it's a false positive you let it through and boom it's too late
[00:22:50] talk to me a little bit more I think we touched on this a little bit
[00:22:54] we understand the observers they can ask questions and I think when we look at sissa there's lots of
[00:22:59] questions that can get asked they put libraries of them and they follow the nist domain with
[00:23:02] identity identify protect respond etc i understand facilitators that's the role that is like i'm
[00:23:09] in starting this we're making this happen you're like the dungeon master and dnd
[00:23:14] we've talked about the note takers but I think one that is really important that is easy to get
[00:23:20] upside down and we talked about a little bit earlier let's talk about the players let's talk
[00:23:23] about the roles that are in this or in this scenario talk to me about things like why you would say
[00:23:29] not have the CEO or maybe departmentalizing having smaller table tops at a at a department level or
[00:23:37] maybe even making it like hey it's help desk i don't care if there's only four people in your
[00:23:41] company this is a help desk scenario we're gonna play that how do you approach that
[00:23:47] most IT teams regardless of their size feel a little bit more comfortable when you don't
[00:23:52] throw the c-suite on the first incident response policy or sorry the incident response tabletop
[00:23:59] exercise there's often a sense by the time that we get to the CEO that everything should run
[00:24:06] like clockwork and that's not actually the point of a tabletop exercise the point of a tabletop
[00:24:12] exercises to break it um and so I would say have have one that feels comfortable for your key
[00:24:20] responders yeah so that would be um you know the people that would be most likely to discover or
[00:24:27] have to escalate the problems the people that that that it would be escalated to and then any key
[00:24:33] decision makers um that would have you know any outreach to the vendor or any um you know who's
[00:24:41] the person that would then be communicating with the rest of the the senior leadership team
[00:24:48] so that you can kind of test out that segment of it and then potentially bring in the the c-suite
[00:24:56] folks the legal representative the the marketing people whoever else are going to be the
[00:25:02] enactors of some of those decisions um they can then come in but but weeding with a very clear
[00:25:09] example of the reason that we are doing this it our IT team has tested the incident response capacity
[00:25:16] however because that cannot exist in a vacuum it's important that we test this with other decision
[00:25:23] makers in this process and then bringing those folks in and at that point your IT team has gotten
[00:25:30] practice they're a little bit more comfortable with it and they can kind of show off their skills
[00:25:34] in front of the c-suite which always makes IT people happy um um and even if you don't have c-suite
[00:25:41] even if you don't have c-suite is to if you are the CEO or the owner take that hat off what this
[00:25:47] play out more from a standpoint of understanding where your bottlenecks are potentially going to
[00:25:52] come from if you aren't there who can make decisions on your behalf so maybe have someone else
[00:25:58] yeah your role in the conversation so that they have to think like okay Sarah's not here or Chris
[00:26:05] isn't here like what do we do and it reminds me of a of a story um I'll just give you the the high
[00:26:11] level because I think it's really important because it'll be a I know it'll be an episode later
[00:26:17] in the year um the after-action for a really crazy incident that involved um it was not had anything
[00:26:24] to do with ransomware but let's just say it involved the car rolling into a building causing
[00:26:29] flooding and so like that's the gist of it right mm-hmm and I I asked the question I'm like well what
[00:26:34] were the big takeaways like you guys you know it's a great story you know that they it sounds like
[00:26:39] a little bit of a fairy tale outcome of like the you know everybody wins kind of thing and he goes
[00:26:45] the after-action was uh we procrastinated too long and I'm like wow that's a really big
[00:26:51] yeah that's just that's a huge observation to have especially at the owner or C-suite level to say
[00:26:57] we procrastinated like when you think about what we're talking about here in a tabletop exercise
[00:27:02] every second counts every minute counts right I think that's a really interesting observation like
[00:27:08] we were too slow in the way we handled the situation um and I think that's a great observation to
[00:27:13] have but I think there's also the flip side I don't necessarily think that it's called procrastination
[00:27:19] I think maybe it was like some of the pieces weren't where they needed to be because I also don't
[00:27:23] want someone to go I'm calling I'm calling the attorney yeah yeah don't pull the don't pull the stop
[00:27:29] the train chain yeah for for something that might not be required oh it's saying that we need
[00:27:35] to patch the system got it wrong I was looking at the wrong board my bad yeah well and this is
[00:27:42] one of the reasons why having a chain of escalation is really critical as well um because we can
[00:27:48] get caught up in oh we think that this is a really significant issue when in reality it might be
[00:27:54] not or there might be a valid reason for it that we just didn't know because we're not in the
[00:27:59] right department or the right team so um giving people an opportunity to test it out is really the
[00:28:07] important part of it um I did a tabletop exercise not too long ago and the client was just like well
[00:28:13] well you know we haven't seen something like this happen in next number of years and I did not
[00:28:19] say it in the moment because it wasn't the right time sure but I wanted to say well nobody planned
[00:28:24] for a pandemic with any significance prior to 2020 because that would never happen and here we are
[00:28:33] and no no joke but like people still have fax machines and quite honestly the evolution of the
[00:28:40] Nigerian Prince asking for help still exists both in the form of the fax machine and in every
[00:28:46] iteration that we see come through via email so that would tell me that well the incident to your
[00:28:52] organization may be true today one word change one sort of slip up or one sort of like oh that
[00:28:59] looks like a shiny object I should click on and it makes it different than what you thought could
[00:29:04] ever happen to your organization yeah I mean when we look at like the MGM hack that was you know
[00:29:11] that was ostensibly by the book um you know like nobody was specifically totally blame right
[00:29:21] you know like nobody internally that is a mistake that I would wager over 50% of IT help desk support
[00:29:29] would have said oh no this is legit yeah so you know it's like we can have all of the best intent
[00:29:36] in the world you can have all of the best tools in the world it doesn't mean that you are
[00:29:42] you have future proofing for incidents um so there's there's two more things I want to cover one
[00:29:48] I'll just glaze over so the facilitation rule I mean I'm not gonna give all the details here it'll
[00:29:54] come out again later I'm sure for most people but the facilitation exercise that part of it is
[00:30:00] to remind everybody that don't use make-believe scenarios you know the sky diver the shark jumping out
[00:30:06] of the water even if it could possibly happen don't ever start with scenarios that are difficult
[00:30:13] to approach um I've had some crazy ones happen in my career both as a tech director and and
[00:30:20] CISO and and another job rolls Sarah you've and I have both experienced some of those together
[00:30:26] but there's no fault there's no dumb suggestions unless you're genuinely trying to be you know
[00:30:32] funny and then that I think needs to be dealt with because a tabletop exercise
[00:30:38] there's a lot of money on the table right like a simulation with all your staff in the room
[00:30:43] you're not talking to clients you're not you know prospecting and taking on new leads this is a
[00:30:48] internal conversation that you're spending money on your staff to be there so make sure you make
[00:30:53] the most of it and then the the second thing that I wanted to talk about this is probably what we
[00:30:59] can use to to wrap up this this call or this um episode is let's talk about what merits
[00:31:07] classifying an incident I think that's one that often gets overlooked and often misused and
[00:31:14] we can all laugh about the example of like the phone rings and whoever answers the phone like oh
[00:31:19] yeah the breach yeah hold on they're in the they're in the conference room talking about it right
[00:31:23] now let me patch you through um those are not good things to say out loud yeah I think more
[00:31:30] than that understanding why you shouldn't use that word is where this comes into play on and
[00:31:35] other words as well yeah and this I would say is critical in your incident response policy
[00:31:42] and in your incident response plan is who is allowed to use that word are we training everybody
[00:31:50] in the company to not use that word and not speak to anybody externally yeah um do we all
[00:31:58] understand what an incident constitutes and an incident can be constituted by different qualifications
[00:32:05] depending on your organization sure but understanding that the term incident means that it is a
[00:32:12] violation of security policies either suspected or in truth and that is different from a breach
[00:32:19] because a breach now brings you into responsibilities to other people responsibilities to the
[00:32:25] government to report um you know there are a number of things that that that means and this is where
[00:32:32] a good policy should delineate all of that so that it's right in front of you everybody's being
[00:32:38] educated on what those terms mean and who gets to use them in many organizations the only person who
[00:32:47] can declare an incident is somebody who is at like a director level of IT or the SISO or the CTO
[00:32:56] and they limit that to that person specifically to try to avoid those kinds of
[00:33:03] traps that we get caught in when somebody opens it up and says a word too early yeah
[00:33:08] so along those lines I think what we're really getting at today is we're mostly talking about cyber
[00:33:14] cyber incidents which would be incident but like um tabletop exercises if you want to start and
[00:33:20] not jump all the way to cyber incidents you know flooding uh you know uh storms that you know
[00:33:27] you know having a server be no longer available because it got flooded with water um that's not
[00:33:34] what we're referring to when we start talking about security incidents and when we would call out
[00:33:39] breach but it doesn't mean you can't start with a an incident response plan or talk through your
[00:33:44] business continuity plans and use some things that maybe are easier to talk through and then build
[00:33:51] up to doing one that's more cyber specific so that you're not like having to overwhelm my team
[00:33:56] by coming in there and saying hey let's talk through you know uh ransomware just hit client
[00:34:00] acme corporation and what we do and they're like um that should never happen because we've done all of
[00:34:07] these things it's like okay that's fair I understand where you're coming from so let's do one that's more
[00:34:12] likely to happen from your perspective uh on round one like so the you know fill in the blank right
[00:34:20] there's plenty of justice still I mean I like stolen laptop that's a good one um you know like
[00:34:26] particularly if it's a senior leadership somebody who's got that you know like okay how do we
[00:34:30] what is our order of operations if we have a laptop that's reported stolen uh
[00:34:35] encrypted uh let's check right yeah you immediately like oh no yeah yeah do you have encryption
[00:34:41] on it awesome okay great so this is not so much of an incident but we still need to report it
[00:34:46] how do we do the reporting so you you do get to kind of have a cradle to grave with it um you know
[00:34:52] definitions are critical right that's that you just are highlighting some of the things that
[00:34:56] like okay well what does that mean to report what are we reporting what's relevant don't don't
[00:35:00] share more than you need to yeah exactly um just because you have a responsibility to report incidents
[00:35:07] to the DOD within 72 hours it's like does that mean that you report a stolen laptop well that depends
[00:35:13] you know so we get to we get to kind of practice it on smaller areas um another one that
[00:35:19] is that said yeah well I mean I file servers what happens if your file server goes down
[00:35:26] you know that could be that could dovetail into a um you know backup recovery uh exercise
[00:35:33] so you can pick things out that would help improve your security posture without necessarily
[00:35:40] going to going to the red alert yeah I like that I think because again we're trying to raise
[00:35:46] the level of maturity with this process and doing a tabletop exercise as opposed to hey guys
[00:35:52] uh if you want to get lunch today you're gonna get this right we we know that that's not the goal
[00:35:56] we want we want to see some level of failure and stumbling in this process because that means
[00:36:02] we're highlighting areas that we need to improve upon and I can honestly say that if you do the
[00:36:08] tabletop exercise and you really went through the motions and the entire exercise and there really
[00:36:13] wasn't a lot of change that needs to be made awesome then it's time to mature the exercise to
[00:36:18] something that's a little bit more difficult the one you just went through yeah well and if
[00:36:23] you're not revamping it on a regular basis you're not staying current with your text deck you're
[00:36:29] not staying current with your processes sure so this is not a one and done by any stretch of the
[00:36:34] imagination well I think that's a good place to just wrap this up Sarah in last thoughts to share
[00:36:40] with the audience before we send them on their way late in the week um look at tabletop exercises as
[00:36:49] an opportunity for exploration and growth as opposed to you have to be perfect um because there's
[00:36:57] always lessons learned there are always business opportunities that come up as a result of it
[00:37:03] when we look at it as what can we learn about ourselves and how can we grow it becomes an amazing
[00:37:08] process Sarah well said and thank you for being on the show for those of you listening this has
[00:37:13] been an episode of 1337 thanks have a great week