Tabletop Exercises and Preparedness: ICS Pulse Podcast, Debbie Gordon, Cloud Range

Courtesy of Brett Sayles

What if your first time in a plane was also the pilot’s first time in a cockpit? That would be unacceptable to even the most risk-tolerant among us. So why do companies so often experience their first cyber intrusion without every really preparing their staff to combat it? Cybersecurity practitioners and other employees to need train for cyberattacks so they know what to do when that dire moment arrives. No one comes pre-loaded with all of the necessary skills.

ICS Pulse recently talked to Debbie Gordon, founder and CEO of Cloud Range, about what companies can learn from tabletop exercises, how a lack of overconfidence is a good thing and why organizations need to stop searching for a purple unicorn. Listen to the full podcast here.

The following has been edited for clarity.

ICS Pulse: I know this isn’t the crux of your business, but you do tabletop exercises as well as attack simulation. Can you walk me through the value of getting a company to do a tabletop exercise?

Debbie Gordon: A traditional tabletop exercise is often an incident response exercise. And the key term there is “incident response” — something already happened. So let’s just say there’s an attack, and a pipeline gets shut down intentionally or unintentionally. What do you do? Traditionally, this involves the leaders of a company coming together and saying, “Oh, gosh, what do we tell the media? What are the legal implications? What do we have to tell our shareholders? What do we tell consumers? What do we tell our employees?” The technical part is, “How do we actually remediate this and fix it to get production back as quickly as possible?”

That example is a traditional tabletop exercise — something already happened, and you have to decide how you’re going to respond. Where we play, which I love this part of it, is we take an existing tabletop exercise and think about the prequel to that. Before that actually happened, what happened on that network? Where was there a threat identified or missed? How did that get through the system? Whether it came through on the IT (information technology) side onto the OT (operational technology) side, what was that flow? And what did the people in the SOC (security operations center) see or miss? How did they assess that and investigate that, if they did or did not? Then how does it get to the point where it becomes an actual incident to respond to?

So when we’re talking about a tabletop exercise, we actually have a product called Tabletop 2.0 because it tells the whole story. It’s not just something that already happened. What happened before that to get to that on the technical side? What actually happened through the network, and how were people responding to that? Those types of exercises, which we do with companies, we usually combine those with their existing tabletop. If they have a company that they’re working with on a tabletop exercise, we work with that company, and we’ve put together the whole story. So we talk about the scenario, and then we create the prequel on a range, so that we can involve technical people and non-technical people. It tells the whole story. It gets both sides to realize what this whole picture looks like, so it’s not just people working in a silo.

ICSP: What kind of feedback are you getting from companies that have gone through this process? Are they shocked at how unprepared they are? Are you finding ones that are better than they thought?

Gordon: I have been pleasantly surprised by the lack of overconfidence of security leaders. And that’s a good thing, lack of overconfidence. You may think that security leaders will say, “Oh, we’re good,” because they don’t want to vocalize weakness or vulnerability there. But I’ve been very pleased with how realistic people are about the fact that they are only as good as their experience. We work with companies all over the world and really in every sector, both on the critical infrastructure side and also the data security side, but the thing that is common in all of them, it makes their teams work better. And every time a team works better, it’s improves their detection and response time and eliminates and reduces and mitigates the risk.

It’s about communication, collaboration, teamwork, creativeness, all of that that sits on top of the technical skills. That actually turns out to be a potential weakest link in the chain because people can have great technical skills. Before, when I was talking about how somebody may have the skills but they’re afraid to use them; when they’re working in a safe team environment, they get elevated. They get confident and it shows. That type of thing makes the job easier for security leaders because they didn’t get into being a CISO to work on small group behavior and teamwork. So it makes their job easier. That’s not what we set out to do, either. That was an unexpected, amazing consequence of what we’ve done. Obviously, the very measurable improvement in how teams are responding, that is the key, but it makes their lives easier, also.

ICSP: You mentioned that lack of overconfidence, which is great to hear. People are only as good as their experience, but things keep changing. Threat actors stay ahead of the game. Pipedream was something totally new in this last year, so you’re generally going to be challenged, as well.

Gordon: That’s why we do simulations at least once a month with a team. They spend a few hours a month going through a simulation, and it’s a different one every time because there are always different TTPs (tactics, techniques and procedures), and they have to practice on different things. So it just gives them exposure to a lot more. One time hurts, but many times is really going to continue to get them in shape.

ICSP: What kind of trends are you seeing right now in the cybersecurity industry, whether that be emerging or recurrent? What are you seeing out there?

Gordon: Just over the last few years, it’s become very apparent that organizations acknowledge that they have to grow their own people. They can’t find a purple unicorn out there. They have open seats, and they can either poach them from another company and pay them more money, which does not solve the problem — it just perpetuates it, and it’s more costly — or determine that they need to grow their own people. We are so excited about being able to provide the resources to do that because it’s not just taking people who already have experience. We have customers that are green. They’re hiring people who are green that have will over skill potentially, and they have to give them those skills. They’re acknowledging that they’re not trying to fight it anymore, saying, “I just can’t find the people.”

Their seats are staying empty for less time because they’re putting learning plans in place. And then the other thing that’s related to this is that security leaders also didn’t sign up to be learning and development planners. But they’re having to do that because in many organizations the HR doesn’t know how to go about this, either. So the people under the CISO, including the CISO, have to say, “Here’s what we need. Here are the learning plans. Here’s the competencies people need.” Then we’re able to put them on that path on an ongoing basis. So it’s very prevalent now. I talk to a lot of CIOs and CISOs around the world, and they all acknowledge that they’re not going to find the purple unicorn and that they have to grow their own talent.

And bringing people from other parts of the organization. It may not even necessarily be from IT. Somebody in marketing may say, “Hey, I want to get into cybersecurity,” and they may have the aptitude to be really good at it. Companies want to keep people internally even if they come from a totally unrelated department.




Keep your finger on the pulse of top industry news