Why Resilience Fails - Part Two

No one should ever suggest that resilience is easy, and dealing with a major breach is not easy. There are five main issues which firms struggle with, that I see particularly in larger organisations.
The first is Complexity, and the second is Integration:
We have lots of moving parts in security, planning, technology, management, and preparing resilience. This brings complexity and there are typically problems on any given day with the way technology, methods, procedures and policy all interlock or integrate and the way people collaborate. If we want to look for the place where the majority of security failure is found, it is in this nexus of complexity and integration, and it is the simple truth of the industry we live in.
In their own right, each of the functions of incident response are complex. Some more technology-heavy, some more procedural, and some require very human skills. If we then consider them within the context of the people that have to work together to deliver resilience in a crisis, we have different types of teams, different types of skills, different seniorities, with different perspectives and roles. They may be in different parts of the world, may speak different languages, some longer-established than others, and some are more familiar and comfortable, working with others teams. Getting different teams to work together, understand eachother, and report or communicate effectively when they may only do so once or twice a year is a huge problem, and this presents compelling reasons why team must practice.
When we start to look at reasons why incident response fails, we start to encounter other things like Escalation: Firms may be able to do the basics right most of the time but when they are faced with an escalating scenario that they are not familiar with, things start to go wrong when plans and playbooks don’t match the circumstances, and people don’t know how to adapt.
This points to the issue of Anticipation: Putting aside ‘probabilities’ if a particular threat or form of attack is plausable then there is grounds to expect that firms should have developed some scenario-based understanding around it, and that should have provided some insight into the true nature of the risk, and what to do about it….and it should have generated some foresight. No one is suggesting that we can foresee the future in detail, but there is enough expertise around to support horizon scanning exercises and scenario games to prepare companies for ‘what happens if…’  The key point here is that we deal with ‘surprises’ differently, depending on whether they were completely unexpected, or whether they could have been, or should have been expected ‘under the circumstances’.
Finally there is interpretation: Buying intelligence and conducting analysis is relevant, but at a micro level, interpretation is about knowing how to work with intelligence, sometimes how to work without it. Interpretation also means how to conduct effective analysis often with incomplete information, how to interpret events or information, and then generate actionable judgments. In an incident response situation we talk about ‘connecting the dots’ to create a sketch of the true situation. Interpretation also refers to knowing which dots to connect, in which order, to draw accurate conclusions about cause-and-effect and then how to generate genuine knowledge and learning from that, and then how to carry the knowledge forward into the future in a way that will improve response or resilience.  Many human failures can be traced to not being able to Think Clearly Under Pressure.
Beyond all these issues are senior management failures, presented in this graphic, that are more fundamental to why companies are not doing enough, not doing enough right, and not doing enough right now about cyber resilience. Managerial problems ultimately mean that basic conditions for success were absent and the seeds of failure were present from the start: Hence Resilience was never likely to work, was never understood, never fully supported and funded properly. So it should come as no surprise that resilience is not planned or developed properly, and even if it has been, it was never implemented properly.
Ultimately some firms care more than others about their resilience as an evolutionary process, and there are the good, the bad and the ugly.
For those that that DO care, a regular maturity assessment highlights what they need to know about their resilience, potential points of failure, and what they need to prioritize about improvement.
Beyond examining the aspect of proper planning & preparation and different aspects of each capability that can be examined through an audit-type approach, a ‘live firing’ exercise or war game to some extent will help you ‘find your breaking point’, or establish a yardstick of how sophisticated does the attack or the attacker have to be before your resilience fails.
Alternatively you can see the attack simulation aspects as a way of identifying whether you are going to fail because of ‘the basics’ and ‘you should have known better’, or the conditions under which you fail. So under normal circumstances you are capable of doing something, but under certain conditions of pressure and uncertainty some simple tasks can become quite complex.
Or finally is assesses whether there is a ‘maturity’ to your grasp of how to use certain capabilities or skills. On paper you may have boxes ticked, but when it comes to the crunch, do you really know how to operate like an ‘advanced user’ rather than a novice. Whatever you want to read into this, different perspectives emerge about the effectiveness of deployed technologies, methodologies, and skills.
There has been more effort to move organizations away from being reactive and to promote risk-aware or risk-informed processes. Some consultants draw more attention to being proactive, adopting an attacker perspective, being more threat informed, and being more self-aware. Few firms can realistically expect to push rapidly towards a utopian situation of being truly innovative, but being able to improvise well, and being able to deal with the unexpected in real time takes skills, understanding and experience which can be hard to find in abundance so there is all the more reason to exercise.

Contact us about your next Cyber Readiness Assessment or Cyber Resilience Assessment at enquiries@optimalrisk.com
Posted: 28 May 2015 by Optimal Risk Admin | with 0 comments
Filed under: assessment, cyber, incident, maturity, readiness, resilience, response, security