Then, “it’s not a battle between a technology person vs. a risk person to force the business side to do something.” Instead, it’s about aligning expectations. “If you can only fund at this level, it will give you this level of expectation. And that changes the tone and impression of the security professionals,” Pironti tells us. “You are an enabler, versus an authoritarian who has forced your will on them.”
Once the risk profile is completed, it’s time for threat and vulnerability analysis to understand what are the threats that have a high likelihood of impacting the business. Specifically, firms need to look at the threats they are vulnerable to and how they will impact people and systems. “Do we have active threats? Is there a new type of attack that we didn’t know about before?” Next, they must move on to vulnerability management, which addresses how to manage the vulnerability and how to shrink the surface area that is exposed. This all falls in the realm of preparation -- doing everything to reduce the threat before it happens.
Command and control: first line of defense
Assuming that a threat will happen, the business should engage in a conversation around incidence response, business continuity, disaster recovery, and the topic of command and control. “The idea is that for certain things we have prescribed plans,” says Pironti. Pinpointing certain vulnerabilities that have a business value, the firm would invest in a planning cycle, develop training materials, and have scripted material.
To deal with the unknown -- those things for which it hasn't developed business continuity plans -- the business relies on the command-and-control piece. This includes triage capabilities, a list of people to call, and ways to get the right resources and people in the room to minimize business interruption. In the first stage after an attack, the operations team should be empowered to solve the problem. “You need to be prepared to do analytics, have documentation, and determine if the attack is breaking the law: Is it a health and safety issue? Is it a crime? Does it require an investigation?”
If the operations team decides the event is outside its area, then it’s declared an “incident’ and outside people are called in. Once it’s out of the control of the incident response team, this moves up the stack to the business continuity role. Across all of these stages, firms need to have training, competencies, and toolkits to prepare for both the known and unknown, according to Pironti.
Ultimately, companies that prepare for cyber security attacks have a better chance of avoiding business disruption. “Let’s not look through rose-colored glasses. Let’s assume we’re going to be affected,” says Pironti. “Through advanced training, planning and awareness, and having the right tools available, the goal is really to turn incidents into anomalies where they are dealt with in the normal course of business.” Those companies that are unprepared are more likely to fail at the response, take more time, and experience more disruption.Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio