Cyber Risk Management: Conducting Exercises (Part 1 of 3)

Today’s post begins the fifth part of our ongoing series on applying the Preparedness Cycle to Cyber Risk Management. This installment is the start of a three part mini-series within the series, addressing the planning and conduct of exercises. The complete blog and series can be accessed via our friends at SurfWatch Labs and their blog (read parts onetwothree, and four here). Excerpts follow.

…this post addresses what is probably the most fun part of preparedness — exercises! A championship football team needs to be complete — with great linemen to fight in the trenches, defensive players to dominate their side of the ball, skills players and special teams to razzle and dazzle and put up points, and then there’s the quarterback — the attention getting centerpiece of nearly every team. Champions in preparedness also need to have success through every part of the Preparedness Cycle — the continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response — but exercises, like quarterbacks, seem to always garner a lot of attention and can be seen to make or break the rest of the program.

To help highlight some areas with expert insight, I’ve asked a colleague to share some wisdom as well. Several areas below include comments from my colleague, Gary Benedict, who serves as the Section Chief of the Department of Homeland Security’s National Cyber Exercise & Planning Program.

… One important idea to understand is that an effective exercise program should progress through a series of successive and increasingly complex exercises leading up to the desired level of proficiency and preparedness. “This progressive approach, with exercises that build upon each other and are supported at each step with training resources, will ensure that organizations do not rush into a full-scale exercise too quickly. Effective planning of exercises and integration of the necessary training will reduce the waste of limited exercise resources and serve to address known shortfalls prior to the conduct of the exercise” (HSEEP).

In planning the progressive schedule of exercises, it is important that exercises are conducted at a cadence that allows organizations to learn from previous exercises and make appropriate procedural refinements before engaging in more challenging exercises.

… From his years of experience in cyber and physical security exercises, Gary adds that the progressive, “building block approach should be documented into a multi-year Training and Exercise strategy (which we referred two in part two of this series under Preparedness Planning). A critical component to the success of this approach is also having senior leadership approval and buy-in. Exercise strategy can be influenced by organizational ongoing risk analysis, so exercise planners should allow some flexibility in the strategy to be adjusted as the risk landscape evolves.”

To read the complete post, continue to SurfWatch Labs: “Preparedness & Cyber Risk Reduction Part Five A: Intro to Exercises

This series is being written by Andy Jabbour, Gate 15’s Co-Founder and Managing Director. Andy leads Gate 15’s risk management and critical infrastructure operations with focus on Information Sharing, Threat Analysis, Operational Support & Preparedness Activities (Planning, Training & Exercise). Andy has years of experience working with partners across the critical infrastructure and homeland security enterprise to support national security and client business needs.