How should organisations be changing their Incident Response planning because of the pandemic?

"You don't need a plan.  You need the capability to respond.  You don't get the capability to respond from a plan."

Ahead of teissR3 | Resilience, Response and Recovery Online Summit 2020, Vicki Gavin, The Cyber Coach at The Cyber Rescue Alliance, talks to Sooraj Shah about incident response and crisis planning post-COVID-19, and practising your response.

teissR3, taking place 15th - 24th September 2020, is the leading event focusing on how you improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Register your place by clicking here.

Video transcript

So how should organisations be changing their incident response planning because of the pandemic?

So I don't think that organisations should actually be changing their planning. And I think that's where an awful lot of organisations get it wrong. They have an incident response plan. But you don't need a plan.

What you need is a capability to respond. And you don't get a capability to respond from reading a plan. I mean, plans are a good way to document what you've discussed. But ultimately, the way that you develop a capability is by doing something.

And generally we call that crisis exercising or crisis simulations. There are a variety of names. But it's actually going through the motions of thinking about a particular type of event and talking as a group about how you're going to respond to it.

When you do that, it does a couple of things. First of all, it embeds it in your memory. But secondly, it allows a group of people who are going to have to respond together to develop a shared risk appetite around a particular type of event. Now, I'm going to assume that organisations have been doing that all along.

Where it gets a little different with everybody working remotely is that we're not sitting around a table doing this together anymore. And there's a real tendency, because we're in the midst of a crisis, to think that, well, that's it. We only have to plan for this one.

But you know what? Crises happen even when you don't want them. And lots of stuff can still go wrong now. Executive teams and IT response teams need to be sitting down together electronically to talk through, well, what if this bad thing happened? What would we do? How would we handle that?

If they're not-- and I don't know a lot of organisations who have really started thinking about continuing developing a response capability-- but they're just asking for trouble. So many things can go wrong. What if we have a major power outage? What if the internet goes down? What if there's a good, old-fashioned flood?

All of the stuff that could have gone wrong before can still go wrong today. So if you haven't already done it, you need to get out there and start exercising and developing your response capability.

Is there anything that could go wrong now that would have more of an impact than perhaps it would have previously? So I mean, obviously everyone's remote working, so perhaps something that would take down the remote workforce? Are there things, the sort of thing you're talking about, that they have to plan for everything?

So each organisation will be different. Each organisation will have different things that they're worrying about and different things that they need to prepare for. I can't tell them what is right for them. They have to decide that.

But any executive team, if they sit down, they'll tell you what the top five things that they're worried about are. Those are the things they need to exercise. Well, what if it happened? What if the thing we're worried about really came true?

It's only by tailoring it to your organisation that you're going to get value out of it. If you say, well, Vicki said, do this, chances are, it's not going to be the thing that's going to get you the most value.