Danial Faizullabhoy and Andy Cutts, co-founders of virtual strategy firm Cyber Strategies, sent government groups and financial services firms scrambling last month with simulated, coordinated cyber attacks across each of their systems. The goal? To get the cyber-security personnel inside the companies and departments to start thinking in unison about these kinds of threats, as opposed to seeing themselves as discreet companies or departments. We asked Faizullabhoy and Cutts what makes their solution unique in the arms race of cyber terrorism.
Cutts: This goes back ten years ago, when we did our first cyber exercise where the White House and the financial sector participated in 2003. A risk manager from the Bank of New York came to me after the exercise and said, ‘This was terrific. But could you build something more sophisticated for us? We spend a lot of money to see how to succeed in the stock market, but nothing to see how to handle operation risk.’
In the exercise, firms not only react to a scenario, but also to what every other firm does. Every firm’s response affects everyone else. That adds a level of complexity in some artificial way similar to the level of complexity in the real world. We’re eager to bring together different functional areas within a single enterprise, rather than just have a problem tackled by information security folks. You want to bring business services, with information security, with recovery folks. They’ve never had the opportunity or environment to exercise the whole team.
Faizullabhoy: The term we use is OODA Loop. Observe, orient, decide and act. Doing exercises and training to orient yourself so when the next threat comes along it’s not going to look the same, it will look different, but you’ve done enough preparedness you know how to act. In a large organization, knowing how to decide and act quickly is critical.
It takes practice. With new types of threats, you fumble once or twice, then you start picking up the ball and get really good at it. That’s the hope.
Cutts: There are more sophisticated threats today than before. It started with script kiddies, and it’s now advanced to criminals and nation states. There are more sophisticated individuals and more tools available, so the threat environment is more dense and challenging every day.