Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Bloomberg BNA Privacy & Data Security News Managing Editor Donald G. Aplin posed a series of questions to Booz Allen Hamilton Executive Vice President Angela Messer, who leads the Predictive Intelligence Business in the firm's Strategic Innovation Group, about how companies can plan for and effectively respond to cybersecurity incidents.
Do you think your background as a military officer and work with the defense community helps you in addressing cybersecurity, where not too surprisingly military terminology often seems to come to the fore?Angela Messer:
Yes, but I would not base it on the common use of military terminology in cyber alone. Military service also provides veterans with the understanding about the importance of security and cyber’s impact to mission. In addition, being employed in the defense industry provides a background that emphasizes the power of predictive analytics to get ahead of the problem rather than reacting to it after the fact.
My further experience in both sectors has also shown the importance of the people who are behind the scenes playing a key role in securing our networks, and not just the technology we use to do it.
I have heard you emphasize that it “takes a village” to effectively address cyberattacks. Would you expand a bit on what you mean by that?Messer:
It takes a community with diverse skillsets and experiences to understand an adversary’s motivations and develop effective countermeasures in cybersecurity. This certainly includes the technical skills we normally talk about, but also non-traditional skills like intelligence analysis, big data analysis (Data Science), psychology, law and many others. In addition it requires these experts to share information in real time to create a “virtual village.”
Additionally, when responding to a cyberattack within an organization, key stakeholders throughout the organization need to be part of the solution as a member of the Incident Response Team. Why? Because a data breach and cyberattack can be an operations problem, a customer problem, an intellectual capital/intellectual property loss problem, a lost revenue problem, a brand problem and a communications & public relations problem—not just a security and technology problem. It takes a “village” even within an organization to solve these issues to include business leaders, technologists, security experts, public relations, legal, human resources and other C-suite leaders. Even a third party with subject matter expertise should be part of the “village” in the Incident Response Team.
Companies should reach broadly within the institution to create a breach response team which is able to make decisions in near real time on issues that impact the business of the organization.
Do you work with companies to provide the kind of simulated cyberattack response/wargaming exercises that helps build an effective village response?Messer:
One of the things we are most proud of is our cyber wargame and exercise practice. We’ve been at the forefront of using wargames to help companies prepare for and respond to complex cyber events. Far too often we see companies stumble, whether it be from media scrutiny or an inability to conduct business—companies that practice their responses in wargames or exercises are simply better prepared to respond to these challenges. Wargames provide a unique opportunity for stakeholders from across a company to come together and build a shared understanding of the challenges and opportunities they will face – it is from this shared understanding that the village emerges.
Over the past five years we have conducted more than 50 of these wargames and exercises for companies across the financial services, energy, health, retail and manufacturing sectors—couple that with our work supporting such government clients as the Department of Homeland Security, the Department of Defense and other civilian agencies. We’ve built a village that spans the public and private sectors.
What do you think are the most important two or three things that companies should be doing in the first 24 hours after discovering a cybersecurity incident?Messer:
Activating their cyber response plan. If they don’t have a cyber response plan already, then they are behind. These plans should be developed before the crisis and exercised regularly. One of the best ways to do this is through wargames. This plan should include the roles and responsibilities of the C-suite and should be led by the chief executive officer or chief operating office, not the chief information officer/chief information security officer since ultimately this is a business operation. The crisis action team should be stood up and report regularly to all stakeholders.
Companies should reach broadly within the institution to create a breach response team which is able to make decisions in near real time on issues that impact the business of the organization. Often, the team that organically comes together is focused on the technical aspects of the breach —this is necessary, but not sufficient. Frequently the lack of business leader involvement (chief privacy officer, COO, CEO, legal and corporate communications executives) is the source of downstream issues. To effectively deal with a breach, technology executives need to inform business leaders to enable potentially rapid and far reaching decisions in a way that is not required by the normal course of business. If you haven’t planned for this and practiced it, your odds of pulling it off in early hours of a high steaks breach are not good. The key is a commonly held value and mindset that all the elements of organizational capability need to be aligned and focused on the threat and an integrated solution.
The plan should be adjusted to meet the realities of the incident, and clear communication should be maintained with all stakeholders (internal to the organization like employees and managers and external to the organization like shareholders and business partners). Lessons learned should be gathered continuously through the process to ensure systemic changes are made to prevent similar incidents from happening again.
Is there any particular legislation, if any, that you feel is most needed to help companies better address cybersecurity issues?Messer:
Solutions to complex problems usually cross boundaries and cyber is no exception. The outcomes expected by the American public need to be co-produced by the government and the private sector.
It would be helpful to both the industry and the government if Congress passes the Cybersecurity Information Sharing Act (CISA), which would facilitate cyber threat information sharing. Today, there is legal uncertainty about the types of cyber threat information private parties can share with each other, as well as with the government. There is also a lack of clarity as to the types of actions private parties, and their outside vendors, can take to protect against cyber threats without running afoul of federal law. Passage of CISA would provide much needed clarity in these areas.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)