The CISO and Crisis Management

?

In the wake of last Fall's ransomware attacks on Las Vegas casinos and entertainment complexes Caesar's Entertainment and MGM Resorts endured cybersecurity incidents that nearly, and in the case of MGM, actually derailed their operations.

Most of you who read this will agree that #ransomware is the plague where cybersecurity risk has proven to be a large business disruptor. A sound defense against these large impacts requires successful CISOs and their teams to turn some of their attention toward how organizations respond to fused cyber-business-threats.? The work of cyber incident response has to adapt to a broader emergency operations center model.? We tend to deal with the cyber-crisis in a "closed door" IT-centric manner, and we have to think more broadly about crisis management overall to successfully defend against this threat.

?

?Here are two experiences I've had that tell us why.

?

The Debate

In 2020, I had the privilege of being part of the combined staff of the Cleveland Clinic Foundation (ccf.org) and Case Western Reserve University (cwru.edu) to host the first Presidential Debate at the CWRU Medical School.? We only had 60 days to setup the operational plan for infrastructure and cybersecurity, in addition to operating plans.? Remember COVID-19 protocols?? That was the small stuff.? We were able to establish a network operations plan and then coordinate a network access control and monitoring solutions that would operate at a high tempo for about a week, and then be torn down and put away after the event.? The final two days had my CCF CISO colleague, Vugar Zeynalov, and me standing alternating shifts in the cyber Emergency Operations Center (EOC) staffed with our monitoring teams, augmented by our Federal law enforcement colleagues, and the representatives from the Committee for Presidential Debates. There were cyber issues to act upon, but the first Debate went on as scheduled, without a hiccup.

?

The foundation for?us to accomplish this mission was laid a few years earlier, when we started adapting our incident response models to follow the National Incident Management System (NIMS), developed by the Federal Emergency Management Agency (FEMA).? This approach allowed our team to use common language practices by law enforcement and emergency management professionals (who usually come from safety, fire, and police backgrounds).? We were able to easily adapt our incident response plans to account for external organizations with shared responsibilities,? which FEMA calls "Incident Command Structure."? Most interestingly, when we presented our plans to manage incidents during the debates, it was easily adapted to the established frameworks used by our partners and Federal law enforcement.

?

The Incident

Last February 13, 2023,?when Michigan State University (MSU) endured an on-campus active shooter incident, I was one of the team from Michigan State University's IT division detailed to support the university's emergency operations center (EOC).?? We had been training for the past year on how IT and Cybersecurity were to be part of the Logistics Section, and with this critical response to an on-campus active shooting was the first time I had witnessed the process in work. This was post-COVID timeframe, and we had been slowly updating the processes incorporate remote support of crisis operations, but in this case, the remote meeting capabilities were not ironed out cleanly, so the EOC was called to convene in person.

I was living on the MSU campus at the time.? In response to the reports of violence, the campus was moved into full lockdown because we did not know the full extent of the active attacker (e.g. threat envelope).? If we had matured our remote EOC options further, I (and others) could have easily supported the operations remotely (network availability permitting).? I eventually was able to depart my on campus residence and drive to the remote EOC location;? but if there had been other disruptions, the EOC might not have been staffed adequately.? What this situation highlights is that there is some personal risk involved in crisis management, if it is from disasters, lost infrastructure, or physical danger, and the CISO can take what we exercise daily in incident response to help EOC incident commanders make sound and well thought-out decisions.

When there is a ransomware incident at your organization, you, the CISO, ought to be in the incident commander rotation.? Be prepared to think above the cybersecurity scope and consider the emergency operations and crisis management scope.? Consider how ready you, and you team, are for making decisions in high stress scenarios.?

Take Home Message

There are many details that I've not added here, not because they are unimportant, but I want to keep you, the audience connected to how a CISO should be able to improve your organizational resilience by improving your team and yourself.

?

1. Study and adopt elements of the FEMA National Incident Management System/Incident Command System (NIMS/ICS) into your incident response protocols.? NIMS is a clean framework for organizational structure, which allows you to adapt roles for cybersecurity incidents, and to know the roles for other incidents where cybersecurity and IT are in supporting roles.
2. Plan your incident response scenarios to include fusions of cyber and physical threats.? Consider the cycle of increasing intensity:? Event > Incident > Disaster Recovery > Emergency Operations Center. Have decision plans for each rung on the ladder.
3. Cultivate relationships with local law enforcement and similar safety personnel.? Encourage your teams to have the same operational relationships and communications.? Things go much better when you recognize the voices when you get the call.? You can get a good step forward by joining your local InfraGard chapter.
4. Develop your crisis management mindset. Some resources I've found helpful here are: Jocko Willnk's book "Leadership, Strategy, and Tactics," to measure yourself and your team. Melissa Agnes's Crisis Ready Institute- to start cultivating your mindset with tangible examples of how people respond to crisis- often poorly - so you're not the next seminar story.
5. Recognize that not all people are "built" for crisis response.? You might have a fine threat hunter on your team, but he or she may not be in the place in live where stress helps them perform.? Consider taking a free psychometric test from thomas.co to see where you are on this scale. Pay attention to the emotional and moral injury your teams may have to endure.

?

If you pay attention to these items, you and your team will be more ready for a dramatic crisis response. Ideally, we woud not have to focus on incidents like these, but it is part of cybersecurity.

Lastly, I'd like to remember the three young students who lost their lives in the February 13 MSU Incident. May their lives not be forgotten.

Arielle Anderson

Brian Fraser

Alexandria Verner