The Best IT Investment You Can Make is Better Training

19th of September 2019

Opinion by Philippe Roy, TIBER expert & Information Security Consultant @ FortConsult

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” 
― Sun Tzu, The Art of War

IT security and Incident Response is not just a range of products that log and protect your systems. It should be a value-adding activity at your organisation that prepares you for a cyber incident. But how do you measure ROI best in IT security?

When speaking of investing in internal or external IT security resources that may or may not come into play, ROI might seem as a hazy, intangible concept. Because who knows when uninvited guests will come knocking at your door, or what consequences the incident will have? And can you even measure the value of this investment?

But one thing is certain: You will sooner or later have uninvited guests. The question is merely how much they will actually get access to. If you do not invest resources on a crisis management response process, so that you are able to extinguish the fire when it appears, ROI will be the least of your worries while you count your losses.

Create a procedure, optimise it and practice it!

How do you prepare your organisation most effectively against cyber-attacks and how do you balance the ROI at the same time? The short answer is: Create a plan and practice it!

The most efficient incident response plan is one that has been set up and practiced in advance, involving all relevant internal and external stakeholders. By testing and training your cyber procedures, you practice how to do this when the stakes are high and it matters, and you know during a crisis who should be involved and how. It creates quicker response times from your team, ensuring that the incident escalates promptly and accordingly, and that it affects operations to the minimum”.

Managing a cyber incident is an art that must be trained 

During a real-life crisis, there is little time for reading text-heavy manuals or sending emails back and forth between c-levels for ever. An effective way to practice dealing with a cyber incident is through simulations.

Train your procedures with cyber crisis simulations

A tabletop exercise is a fun and constructive way to train your organisation’s ability to react to a cyber incident. In a safe training environment, it is possible to test in practice exactly how responsibilities are allocated, when a crisis is afoot. It will quickly show you the importance of a trained, clear, and well-documented incident response procedure. Initiating an unannounced procedure exercise, e.g. by writing a simple email to your team about a fictitious incident, is also a good way to get your team on their toes.

A simulation can also be performed directly with your organisation and your Blue Team. This can be done by performing what we call a Purple Team assessment. Your Blue Team's ability to identify and respond to different attack phases will be assessed by ethical hackers who, with your knowledge of the business and operations, will test your organisation's ability to respond to an incident, through realistic simulations of various scenarios and threat actors. In this type of exercise, you will gain invaluable and hands-on experience, with recommendations towards improving your processes, technologies, and employees' skills.

Another possible solution is to have of a Security Operations Centre (SOC) – a 24/7 security monitoring and detection service where experts monitor your systems, extinguish small fires, and alarm you when your cyber incident procedure should be initiated internally in the organisation.

An incident response plan could take many forms and does not have to be a text-heavy affair. A visual setup, with a step-by-step guide on how to handle a cyber incident, can help your crisis management team to acquire a better understanding of their role definitions and the processes. 

The value of creating and practicing an easy-to-grasp incident and response plan, far exceeds the lost profits you may experience when uninvited guests are caught in your systems.