As of December 18, 2023, publicly traded organizations must comply with the Security and Exchange Commission (SEC) incident disclosure regulations, which were originally unveiled in July 2023. Under the new rules, publicly traded companies will be required to report cyber incidents within four business days of determining that the incident is “material,” meaning it would potentially impact a shareholder’s investment decisions. While many existing government regulations and industry standards have required organizations to establish business continuity and incident response (IR) plans in the past, the new SEC rules put more pressure on security practitioners than ever before. As time is of the essence, a well-practiced IR program will be critical. It’s no longer about having a plan in place; it’s about how well it can be executed, which will require many organizations to depart from their current practices.
When a cyber incident occurs, organizations need to be ready and able to respond quickly. While many organizations have deployed cybersecurity solutions for better incident detection, the foundation for an effective response is a comprehensive cyber IR plan matched with detailed governance, risk, and compliance programs. Having such plans and processes in place helps organizations manage cyber incidents in an efficient, agile, and cohesive way.
However, most companies don’t know how ready they are for a breach until they have one. They quickly learn that they should have done more to prepare. According to the IBM Cost of the Data Breach Report 2023 (PDF), it’s not just about having an IR plan in place but regularly testing it, which can lower the cost of a breach by as much as $1.49 million on average. In turn, organizations must ensure they run regular training and IR simulation exercises and have strong collaboration within their organization.
Inhibitors of Traditional IR Simulations
While IR simulations (a.k.a. tabletop exercises) are a proven tool for building awareness, improving coordination, finding gaps in an organization’s security posture, validating assumptions, and building confidence, they can be painstakingly challenging to plan and implement effectively and efficiently. This holds especially true when considering that many information security teams are understaffed, underfunded, and frequently insufficiently skilled.
Independent of the type of tabletop exercise (e.g., self-designed and facilitated, peer-to-peer, virtual, or third-party service-led exercises), an average tabletop exercise can cost an organization anywhere from $30,000 to $50,000. The overall spending is determined by the cost of training in preparation of the simulation, pre-tabletop exercise planning, incident scenario design, logistics and preparation, exercise delivery, and post-exercise analysis. That’s why it is not surprising that over a third of organizations say they space their IR tabletop exercises a year or two apart.
The New Paradigm: Automated IR Simulation
This raises the question of how you can employ IR simulations as part of your overall IR strategy without putting more stress on your staff or going over budget. Here are a few tips:
- Leverage AI: Take advantage of emerging IR simulation technology that uses AI to create realistic scenarios, automate attack simulations, provide a fully interactive user experience, and analyze the results.
- Make it Continuous: Annual IR simulations are not sufficient – specifically in light of the new SEC incident disclosure rule. To nurture a collaborative culture in your organization and optimize your incident preparedness, you need to make IR simulation an ongoing process with frequent and short sessions that keep all the stakeholders engaged.
- Allow for Universal Engagement: It’s essential to shift IR planning away from the old model, where a few people participated once a year. In today’s dynamic threat landscape, a universal engagement is required, which includes staff members from legal, PR, investor relations, product development, cybersecurity, and general administration teams. You need to ensure inclusive participation, providing everyone a chance to prepare for likely incidents.
- Tailored Specific for Your Business: Don’t waste time with generic simulations that don’t suit your company. Run multiple IR scenarios concurrently, with short war-room sessions and summaries sent to stakeholders whose attendance is optional. Moreover, attacks often consist of seemingly unrelated events that take place over time. Simulating these events in context can help train your stakeholders to keep an eye out for suspicious activity.
- Insightful Reporting: Don’t spend hours generating post-simulation reports. Leverage automated IR simulation tools that provide automated reports that offer invaluable insights into key activities, potential missteps, and performance against other firms. Track your progress and identify areas for improvement, and continuously refine your cybersecurity response strategies.
Tabletop exercises will remain relevant for incident readiness optimization as long as humans are involved in intercepting and remediating cybersecurity attacks. As attacks and technologies evolve, so should IR strategies and tactics. By turning IR simulation into a continuous process and employing innovative tools, you can address the stringent requirements set out by the new SEC incident disclosure rule and make the best of tabletop exercises in 2024 and beyond.