Assessing and Enhancing Organizational Security and Risk Management

Security Careers

Security Careers

— 7 min read
Assessing and Enhancing Organizational Security and Risk Management
Photo by Christina @ wocintechchat.com / Unsplash

In today's evolving threat landscape, organizations across the globe face cyber threats as daily challenges. From sophisticated ransomware attacks to nation-state sponsored breaches, the stakes have never been higher, highlighting the necessity of robust security controls and effective risk management. To defend against this "inevitable onslaught of cyber threats," relying solely on cybersecurity tools is often insufficient; organizations must actively assess and enhance their preparedness. This is achieved through a combination of rigorous assessments, structured exercises, ongoing monitoring, and continuous improvement processes.

The Role of Practice and Simulation Exercises (SIMEX)

Effective responses to cybersecurity incidents rely in large part upon three key elements: personnel, planning, and practice. While having the right people and a well-written plan are essential, they are not enough; teams must practice responding to incidents. Practice usually enables people to perform better when called upon.

Simulation exercises (SIMEX) are a broad category of activities used as rehearsals for unexpected events. They are designed to mimic reality and exercise participants' capacity to implement emergency response functions. SIMEX can test systems, emergency procedures, contingency plans, response mechanisms, and equipment. They contribute to team building and evaluating response skills. The U.S. Federal Emergency Management Agency (FEMA) describes six levels of exercises, increasing in complexity from informational seminars to simulations that mimic reality.

Improvements in an organization's preparedness capacities are made based on the SIMEX results. Challenges faced during a crisis, ranging from coordination and security to administrative and technical difficulties, can be reduced by regular exercises. Simulation exercises play an important role in promoting a culture of disaster risk reduction, including enhanced preparedness for effective response. The focus of most exercises is on practical learning in a safe environment with a strong emphasis on the after-action review or exercise debrief.

Tabletop Exercises: A Foundational Assessment Tool

One of the most common and easy-to-implement vehicles for testing incident response plans is a tabletop exercise (TTX). A tabletop exercise is a form of cyber defense training in which teams walk through simulated cyberattack scenarios in a structured, discussion-based setting. It is a form of SIMEX. TTXs are discussion-based activities where teams respond to a simulated cyber incident in a meeting setting. They are structured and interactive simulations designed to help teams come together to determine how to respond to a crisis. Tabletop exercises typically take place in a non-threatening simulated environment, allowing participants to comfortably rehearse their roles, ask questions, and identify problem areas. They are often described as being "played around a table".

TTXs are a powerful method for revealing the weaknesses in a given incident response framework before an incident actually happens. They are considered low-risk and cost-effective compared to live simulations. This allows teams to test their plans without the risks of live drills. They are also the only type of simulation that does not strictly require an existing response plan in place to be conducted effectively.

How Tabletop Exercises Assess Security Controls and Risk Management:

Tabletop exercises are primarily used to test incident response plans. They help organizations understand potential threats and identify weaknesses in processes. These weaknesses can range from technical vulnerabilities to gaps in communication protocols. They serve as a test of collaborative problem-solving, communication, and coordination, which are critical attributes for managing real-world security incidents. TTXs can also test other key programs, such as business continuity, disaster recovery, and/or compliance. They allow for the evaluation of performance, decision-making, coordination mechanisms, and validation of instruments and processes used to collect and organize information.

Key Elements for Designing and Conducting Effective TTXs:

Designing and conducting a powerful tabletop exercise requires careful planning and execution, focusing on several key steps:

  1. Clarify Objectives and Outcomes: Be clear about what you hope to achieve during the exercise. Defining the goals ensures alignment with organizational priorities and leadership needs. Objectives should be Specific, Measurable, Achievable, Relevant, and Time-bound (SMART). Aligning objectives with real-world threats maximizes relevance and engagement. Define what success looks like at the end of the exercise.
  2. Choose the Right Participants and Exercise Team: Assemble individuals from all relevant departments and other appropriate stakeholders, such as IT security, operational security, physical security, legal and compliance, HR, Marketing/Communications/Public relations, and executive leadership. You want the key decision-makers in the room. Include external team members, such as outside counsel, crisis communications professionals, or forensics examiners, to simulate real-world responses. Consider how to optimize the team for rapid decision-making.
  3. Design an Interactive Scenario and Exercise Plan: Create a solid, believable scenario that is realistic and relevant to your organization's industry and threat landscape. Scenarios should reflect the organization's threat trends, vulnerabilities, and assets, often building upon its risk assessment. Scenarios can test coordination with other key programs, such as business continuity, disaster recovery, and/or compliance, and incorporate potential interactions with external parties like media, customers, regulators, and law enforcement. Scenarios should expose coordination breakdown or highlight areas for improvement. Realistic scenarios are crucial for engaging participants and uncovering meaningful insights. Update scenarios annually to reflect current and evolving cyber threats. Introduce unexpected events or new information during the exercise through "injects" to simulate the dynamic nature of a real incident. Design the scenario around "issue areas" based on local preparedness needs and priorities, rather than just a narrative, to ensure important areas are addressed. Decision making must be forced, targeted, and time delineated within the scenario.
  4. Create an Interactive, No-Fault Space: Design an environment that builds trust and encourages discussion, avoiding rigidity. Declare the venue a "no-fault zone" to allow people to ask any question and make mistakes without fear. This low-stress environment is a core benefit.
  5. Ask Probing Questions to Gain Insight: Use an experienced facilitator to guide the discussion, ask probing questions, and uncover key issues and insights. A skilled facilitator is important to keep the exercise on track and productive. Facilitators should be prepared to step in if participants appear flustered or unsure.
  6. Run the Exercise: Guide participants through the scenario, prompting them to make decisions and explain their reasoning. Encourage open communication and debate. Use interactive elements like role-playing and timed decision points to maintain engagement and replicate real-world uncertainty.
  7. Capture Issues, Lessons, and Key Gaps: Don't just rely on note-takers; capture and review key points in real-time during the exercise. Use visual tools and a timeline to see how decisions unfold. Observers should take notes.
  8. Debrief and Evaluate: Every tabletop should conclude with an "after action review" (AAR) or debrief session, discussing what worked well and what aspects of the incident response plan or other policies need improvement. Collect feedback from all participants using questionnaires, group discussions, or individual interviews. Discuss participants' experiences, identify problems, and pinpoint gaps.
  9. Create a Specific, Near-Term Plan (Action Plan): The best way to put learnings into action is to use the AAR to develop a simple and specific near-term plan. Prioritize findings, assign ownership, and set deadlines for each action item. These plans bridge the gap between lessons learned and tangible improvements. At the end of the debriefing, draw a list of actions to improve the tested plans and procedures. This plan should include problem resolution timeframe and responsible entities.
  10. Provide Tools and Guides to Boost Learning: Leverage the exercise by providing participants with access to hands-on tools and resources that will help them enhance their plans.

Other Assessment and Monitoring Methods

Beyond tabletop exercises, organizations utilize various other methods to assess and manage their security controls and risks, as demonstrated by US Signal:

  • Risk Management Program: This includes identifying risks, analyzing them, and determining how they should be managed. US Signal performs an annual risk assessment over their environment to identify potential threats, analyze associated risks, and determine mitigation strategies. They also document risks for new or changed lines of business and assess fraud risk annually. They evaluate changes in the regulatory and physical environment, as well as vendor and business-partner relationships, through their ongoing and annual risk assessment process.
  • Ongoing and Separate Evaluations: Organizations perform these to ascertain whether the components of internal control are present and functioning. US Signal develops an audit schedule annually to assist with identifying and monitoring risk.
  • Audits and Internal Assessments: US Signal performs various self-certification audits annually to test the design and operating effectiveness of controls. They also perform an internal assessment of their controls against National Institute of Standards and Technology (NIST) guidelines on at least an annual basis. US Signal audits their data center facilities annually. The results of internal assessments are communicated to senior leadership at least annually.
  • Technical Testing: US Signal performs internal and external vulnerability scans on at least a quarterly basis. They conduct a network segmentation test annually. Penetration testing is performed annually, and critical/high-risk findings are tracked and resolved. System firewall audits are conducted at least biannually to validate configurations.
  • Monitoring: US Signal monitors security events and system alerts, logging activity to an internal Security Information and Event Management (SIEM) and Network Management System (NMS). Security alerts from the NMS are monitored in real time by their Technical Operations Center (TOC). They evaluate security events documented in tickets to determine if they are security incidents requiring further investigation. US Signal monitors capacity within their environment on a monthly basis, including power usage, space, storage, and bandwidth. They also perform a quarterly data audit to ensure data destruction procedures are followed.
  • Vendor and Business Partner Due Diligence: US Signal assesses and manages risks associated with vendors and business partners. They perform annual due diligence on high-risk vendors and due diligence for new vendors.
  • Business Impact Analysis (BIA): A BIA is performed on an annual basis to document the potential effects of an interruption to critical business operations.

Enhancing Security Controls Through Iteration and Improvement

The true value of exercises comes from the lessons distilled from them. Lessons learned from tabletop exercises must then be incorporated into relevant plans and policies. After exercise organizers gather and analyze information, an individual with requisite authority should ensure that the company's incident response policy and other appropriate policies and practices are modified to reflect the lessons learned. An "after action review" (AAR) discusses what worked well and what aspects of the incident response plan or other policies need improvement. The primary value comes from the lessons distilled from them.

Enhancement is an iterative process. Use insights from each exercise to update your incident response plan, refine your procedures, and improve team training. Resilience is a continuous journey, requiring regular updates and iterations to keep exercises relevant. Schedule annual or semi-annual exercises and incorporate emerging threats and evolving organizational priorities. This approach ensures that your organization's incident response capabilities constantly evolve with emerging threats.

To measure the effectiveness of TTXs and track improvements, establish clear, measurable objectives before running the exercise. Specific metrics can include the number of vulnerabilities identified, time to detect and respond to simulated incidents, number of communication breakdowns, participant satisfaction, and improvement in post-exercise quiz scores. Regularly tracking these metrics will demonstrate their increasing value over time.

Conclusion

Assessing and enhancing security controls and risk management is not a one-time event but a continuous cycle of planning, practice, evaluation, and improvement. Organizations leverage various methods, including different types of simulation exercises like tabletop exercises, comprehensive risk assessments, audits, technical testing, and ongoing monitoring. Tabletop exercises, in particular, offer a low-risk, cost-effective, and powerful way to test response plans, identify weaknesses, and improve team coordination and decision-making in simulated scenarios. The key to enhancing preparedness lies in diligently learning from these assessments and exercises, documenting insights, creating actionable plans, and implementing necessary changes to plans, policies, and procedures. By consistently engaging in these activities, organizations build the muscle memory and resilience needed to face real-world cyber threats effectively.

Read more