Many firms are struggling with the task of reinforcing posture or complete ‘reposturing’. Part of this is due to the need to create, test and continually review the documentation for security, and incident response programs including ‘playbooks’. Another part is due to change in personnel in key roles: Key team leaders and senior security managers leaving post or the organization during a three year posturing cycle leave important vacuums in the collective knowledge base and organizational learning bank that has been built up over time, and while implementing security and resilience planning or initiatives. The continuity of staffing is critical to organizational learning particularly where there has been ‘real-world’ experience of cyber attacks, or regular war games which have developed a more advanced understanding of what a good incident response capability looks like.
The challenge faced by the organization is the balance between the written doctrine, and the unwritten or ‘oral doctrine’ that develops naturally and in tandem with a degree of more acute intuition as experience is gained and incident response capabilities improve. For many less mature firms that have incomplete incident response capabilities the written doctrine will be more succinct to reflect the limited options they have. A well prepared and ‘thumbed’ playbook is a key indicator of maturity to a higher level.
But there are challenges with a meticulously written doctrine, not least because it is difficult to digest, requires regular exercising to check assumptions and efficacy, and can be rigidly pre-prescriptive. This can all stifle real-time innovation when dealing with a major security breach, when a degree of agility and ‘thinking on your feet’ can be required when security principles are faced with an attack they do not recognize. But it is very rare outside the defense sector to find such ‘real-time’ innovation.
The trade-offs between the written and the oral doctrine are complex. Oral doctrine tends to evolve from doctrinal discussions, as a result of investment in new capability [particularly technology or a SOC], and from the lessons of war games when ad hoc solutions have been developed to different problems. Often as a product of tested original thinking, it can allow for greater flexibility in its application. By definition however, oral doctrine is much more difficult to pass on or propagate, and best known to those that were party to its development. Problematic to the oral doctrine is that it allows for different interpretations, relies on the understanding of ‘advanced defender’ and can be more or less relevant, according to specific circumstances or a point-in-time situation. Oral doctrine becomes common-place where there are subtle changes to an established approach on the basis of new ‘what-if’ considerations, and where no one has undertaken to update the existing written doctrine or concepts, or warning and decision making to reflect a new reality.
Establishing a proper written doctrine allows a new security principle to join a team and appreciate where the team has reached and how it got there in terms of its preparation and planning and readiness. For a new CISO it is natural to want to see if the capabilities are ‘real’ and how effective the doctrine & planning is; and how much survives ‘first contact with the enemy’, especially a nation state or a terrorist proxy [don’t underestimate the cyber militia of the Middle East]. From there he/she can more readily assess what failed and why, before introducing sweeping or wholesale changes in doctrine, or at least do so for the right reasons with sensitivity to what has evolved in the recent past. But this speaks to the importance of having an oversight function that can ensure against a dangerous loss of continuity.
A new CISO who brings his own doctrine, preferences, and experience with him can sometimes lead a step back down
the maturity ladder eg. From trying to be ‘anticipatory’ [level 4 on the Optimal Risk Maturity Model] to be ‘risk-focused’ and concentrate on being able to ‘handle the basics by the book’. [For more information about Optimal Risk’s Maturity Model download at http://www.optimalrisk.com/Information-Risk-Security-Consulting/Cyber-Readiness-Services
Conversely we sometimes see firms launch themselves as many as two steps up, having previously been ‘compliant’ [level 2] they leapfrog being simply ‘risk-focused’ and set their maturity target at become proactively ‘anticipatory’, adopting threat intelligence, and trying to think like a hacker. Whether this is achieved and how it is achieved, or why it is not achieved, often comes down to the degree of program oversight, and the priorities that the oversight program sets for itself
Combining the parallel dynamics of developing effective doctrine, enhancing capability, and updating the various components of planning & doctrine with all the policy, procedure, and process elements will inevitably leave gaps which the oversight function must seek out. This however is not about having a keen eye for gaps, but is much more about having a well-structured program with all the appropriate components for Monitoring, Improvement, and Management as three distinct activities. The aim here is not only to develop resilience by introducing good capability, but to ensure sustainability and continuous improvement.
The key to successful oversight beyond the considerable hurdle of gaining board-level endorsement and sponsorship of the program, is to introduce management infrastructure, and procedures that will provide the right governance & direction. The basis of effective governance in this instance is less about expert review [as such experts are rarely available to sit on a committee and are employing their skills where they are more needed]. It is more about senior managers that know how to direct the process, asking the right questions of the right people, and making sure that there is a sound basis for answers.
As we charge towards Cyber Awareness Month, CISOs should be asking themselves whether they are ready for a serious breach incident, and whether all aspects of their doctrine are understood by everyone that needs to know them, especially new members of the team. If in doubt, question when the playbook was last refined, and how. Was it exercised against a high-impact scenario, and has the learning been properly assimilated.
For more information about developing program oversight and effective governance contact firstname.lastname@example.org