Cyber Risk Management: Preparedness and Operational Planning

This is the second in a short series we’re writing for our friends at SurfWatch Labs on applying the Preparedness Cycle to Cyber Risk Management (read part one here).

There are a number of ways to mitigate risks. In some instances, we assess the risk as low or the cost of mitigation as too much, and we decide not to do anything at all, accepting the risks and moving on. In some cases, we get insurance to help manage the potential consequences of an incident. In some cases, we determine to take preparedness actions to decrease risks. In those cases, preparedness – planning, as well as training and exercises – needs to be thought of like insurance in that you don’t pay insurance once and stop. You pay it month in and month out, use it or not. Same thing with preparedness. It needs to be scheduled and recurring. Plan for it, do it regularly, keep doing it. With our insurance bill, we plan for it, allocating time and resources to make sure we pay it. Again, with preparedness, we need to plan our activities and set aside the time and resources to conduct them…

… In both physical and cybersecurity, and for pandemics and other threats — it is great to have detailed plans and protocols. However, no organization can get to a 100% solution for every situation. Having plans is important but so is building in flexibility and innovation… Your plan is almost never going to be based on the exact situation you find yourself in. Plan well, be deliberate, but also be prepared for a little bit of backyard football, being able to make game time decisions when needed. Matt Stafford’s coaches don’t tell him to throw that sidearm ball, but sometimes, he has to adjust to get the ball in his receiver’s hands. Know the right form, but be ready to toss the sidearm when you have to.

To read the complete post, continue to SurfWatch Labs: “Preparedness & Cyber Risk Reduction Part Two: Preparedness and Operational Planning” 

This series is being written by Andy Jabbour, Gate 15’s Co-Founder and Managing Director. Andy leads Gate 15’s risk management and critical infrastructure operations with focus on Information Sharing, Threat Analysis, Operational Support & Preparedness Activities (Planning, Training & Exercise). Andy has years of experience working with partners across the critical infrastructure and homeland security enterprise to support national security and client business needs.