After almost two decades of working globally, consulting on risk and cybersecurity, Shannon Sedgwick has keen insight into what makes an organisation both protected and resilient from cyber threats. He focuses on cyber risk governance and provide strategic advice to executive leadership and boards on this evolving area.
He is passionate about helping clients manage their information and technology risks and future-proof their organisations against cyber threats. He has extensive experience working in financial services, critical infrastructure, defence, and government.
Over the past 18 months, there has been an increase in the number of cyber security breaches that have affected everyday Australians. What are the best practices available to organisations to address internal and external threats?
The three best practices that come to mind are data governance, supply chain risk, and incident response.
First is data governance, which involves mapping your organisation's data, understanding the level of criticality and sensitivity of that data, and knowing where customers' information, particularly personal identifying information and health-related information, is located. It is hugely important to understand where that is, who has access to it, and how long you should store it from a legal and ethical perspective.
The second-best practice is around supply chain risk, which includes third, and even fourth-party risk management. Again, like what we've done with our data, we've mapped it according to its criticality to the organisation.
For critical vendors, we have to apply an even keener eye and analysis on their level of cybersecurity maturity, particularly if they have access to our critical systems and our sensitive data. We must have a stronger analysis and a stronger set of standards to hold them to. Often, if it's a smaller vendor, we may have to help them uplift to reach an acceptable maturity level.
Third, incident response best practices must be addressed. If something goes wrong, as it invariably will despite best efforts, organisations need to have a rehearsed incident response plan and incident-specific playbooks to refer to in the event of a ransomware attack, DDoS attack, or business email compromise. They must know what to do in each scenario, including people's roles and responsibilities, who to call and when, and the details of external counsel, external forensic investigators, and incident responders.
We know that prevention is better than a cure, no matter the size of the organisation or industry sector. But sometimes incidents will occur, regardless of an organisation's preventive efforts. What is the best practice incident response?
Organisations must consider a cyber incident's possible financial and reputational impact should it be mishandled. Yet, across the entire spectrum of many organisations, there is a misunderstanding of how to respond to a cyber incident. Many organisations think that having a high-level incident response plan is a panacea or a cure-all for all of their cybersecurity ills. But what they don't often have are incident-specific playbooks. These are necessary because the response to a ransomware incident materially differs from the response to a business email compromise. Likewise, the playbooks need pre-prepared draft stakeholder communications that are ready to employ when it is time to disclose the nature and implication of a breach to stakeholders.
The playbooks must be specific to an organisation and rehearsed to ensure they work for their environment. A 'copied and pasted' plan will not work because it's not specific to the organisation and has yet to have the organisation's team, such as IT, risk, the board, counsel, and insurers, involved in creating it.
What have you observed in relation to board management of a cyber breach?
Boards tend to look for information and may ask for hourly updates from the highly stressed and overworked IT and cyber teams. However, when an incident occurs, information is scarce - all you know is that something's gone wrong and it is being investigated.
The board may inadvertently slow down the investigation. This places additional stress on the responding team, and while well-intentioned, it doesn't help because the responders may have no assurance of what's been accessed, how the threat actor got in, or the severity of the breach for weeks.
Investigations take a long time, and finding a balance between disclosing too early or avoiding disclosure and potentially appearing to obfuscate the truth while giving assurance to the various stakeholders is very difficult.
Rehearsing incident response is the only way to understand the operational realities of incident response at the board level through an organisation to a tactical level.
A cyber incident puts enormous pressure on leadership and the response team. Do leaders clearly understand the stress involved in dealing with a cyber threat and the impact on the cyber response team?
Many leaders do not clearly understand the daily stress IT and security teams are under.
Mental health in the security industry is a significant issue. There's burnout and a lack of resources to meet the growing demand for cybersecurity. It is a stressful job, particularly at a leadership level, because the blame often falls on the long-suffering chief information security officer if something goes wrong.
IT security is a stressful position to be in day in and day out, let alone when an incident happens. The team has done their best with the resources and the budget allocated to them, which is almost always insufficient. They have to do their best with what they've been given.
What do the board and senior management need to consider when supporting the emotional load on the team?
The board and senior management can offer support and show that they care by enquiring about the type of resources needed in the event of an incident, including: will the team be working in shifts? Where are they going to sleep? When are they going to see their family? Have they got healthy food to eat?
When a team is already stressed with the' business as usual' demands of the job, then during the incident, this stress increases dramatically. They will focus on doing their best to recover, remediate, and get the business back to usual operations and, potentially, remove the threat actor from their systems.
Boards and senior management must consider whether they will get accurate or timely information from a stressed- and burned-out workforce. Such information is relied upon to inform the market and the regulator. If inaccurate, there can be consequences, including the organisation's reputation.
The response team need to know that the leadership has their back and that they've got all the support – including bringing in external vendors to alleviate the pressure - that they need to do a good job.