10 Common Flaws in Incident Response Plans: Flaw #6 – Leveraging External Expertise

Alex Waintraub, with Israel Bryski
This blog series by Alex Waintraub, mirrors the SafeHouse Podcast about the 10 Common Flaws in Incident Response Plans.

No organization can possess all the expertise and resources required to combat the constantly changing threats from cyber attackers. Recognizing this, savvy security leaders understand the importance of strategically engaging external third-party providers to enhance their incident response capabilities. As Israel Bryski, Chief Information Security Officer at MIO Partners, eloquently explains, the key lies in identifying the right partners and leveraging their specialized expertise to maximize the effectiveness of your incident response plan.  Israel joins Alex Waintraub in this blog to explore how to mitigate risk in leveraging external expertise.  Listen to the podcast here:

 

Selecting the Right External Partners

When it comes to building a robust incident response strategy, the selection of external partners is crucial. Bryski emphasizes the value of peer validation, encouraging organizations to reach out to their industry counterparts and learn from their experiences. “Speaking to peers, speaking to friends in the industry, find out the companies, the names of the companies that they’re using and why they selected them,” he advises. This approach not only saves time and resources but also provides the confidence that the chosen providers possess the necessary expertise and track record to handle the challenges at hand.

Establishing Retainer Agreements

Bryski’s own experience at MIO Partners, a $25 billion asset management firm, provides a valuable blueprint for leveraging external expertise. The organization has established retainer agreements with four key providers to ensure immediate access to critical resources in the event of a cybersecurity incident or breach:

  • External Counsel: A law firm with a strong technology background, well-versed in all things cyber-related.
  • Crisis Communications: A specialized firm to handle public relations and crisis communications, including interactions with regulators and clients.
  • Digital Forensics: A dedicated incident response and digital forensics provider.
  • Ransomware Negotiation: A specialized firm experienced in negotiating with ransomware threat actors and facilitating payments on the organization’s behalf.

By having these experts on retainer, MIO Partners ensures that the necessary resources and decision-makers are readily available when an incident occurs, enabling a more coordinated and efficient response.

Proactive Engagement and Tabletop Exercises

Bryski emphasizes the importance of proactive engagement with external partners, even before an incident arises. He describes how MIO Partners regularly conducts tabletop exercises, involving all the key external providers, to simulate potential scenarios and ensure everyone is aligned on roles, responsibilities, and decision-making processes.

“The idea is it’s very clear going into an incident and of course you train on it, you practice it in your tabletop that way when there’s a real incident and we’re in a war room it’s very clear okay you CEO you need to tell me based on what we’re what’s been informed by our forensics team or the team that’s involved in negotiating with the threat actors do we pay or do we not pay.”

These tabletop exercises not only prepare the organization for the chaos of a real incident but also serve to demonstrate to senior management the value and capabilities of the external partners, securing the necessary buy-in and support for the incident response program.

Navigating the Chaos of a Real Incident

Bryski acknowledges that even with the best-laid plans, a real-world incident can be chaotic and unpredictable. He cautions against the temptation to fall into “hero mode,” emphasizing the importance of pacing the response team and ensuring proper rotation and rest periods to avoid burnout.

“The idea is NOT to burn out! Ensure there’s proper rotation within the security team so people could take a break.” Israel continues, “I’ve heard stories of people burning out spending three days with no sleep, no food, sitting in a war room, and it’s not good for you, your mental health, your regular health, or for your company if you can’t function properly.”

By empowering the response team and cross-training them to handle different responsibilities, organizations can create a more controlled chaos, allowing the security professionals to make informed decisions and maintain their effectiveness throughout the incident.

Conclusion

The strategic engagement of external expertise is a critical component of a comprehensive incident response plan. By leveraging the specialized knowledge and capabilities of trusted third-party providers, organizations can enhance their ability to respond to and recover from cyber incidents, ultimately safeguarding their operations, reputation, and stakeholders. As Bryski’s insights demonstrate, the key lies in thoughtful partner selection, proactive engagement, and a commitment to maintaining a resilient and adaptable incident response strategy.