Case study: exercising as part of an incident response retainer (IRR) for a large organisation

Written By Patrick M

Outline:

  • This case study is based on an engagement conducted by Tyburn.

  • The client was a large research organisation in the UK, with annual turn-over of ~ 1.6Bn USD.

  • Tyburn was working with the organisation under the terms of an incident response retainer (IRR).

  • As part of the retainer Tyburn facilitated regular incident and crisis response exercises for the organisation’s leadership team.

  • These exercises went beyond cyber to encompass the full range of threats to the organisation’s security.

  • They enabled the organisation’s senior management to respond efficiently and effectively in the face of multiple and concurrent significant incidents, safely leading the organisation to continue operations despite ongoing events.

  • The organisation’s CRO described their IRR with Tyburn as “the best money we have ever spent”.

Exercising as part of a retained incident response service

The exercises described in this case study were conducted under the terms of an incident response retainer, with Tyburn contracted to provide incident response capability and strategic advice during security incidents. Multiple incidents occurred during the period of the retainer. 

However, in addition to crisis response, the retainer includes an ongoing programme of training and support, intended to build organisational resilience and readiness ahead of any incident. We view this engagement as critical in building relationships across an organisation, ensuring a smooth transition from business as usual to crisis response. It is the work done ‘left of bang’ - before an incident occurs - that makes a real difference during a crisis. 

A key part of Tyburn’s ongoing programme of training and support as part of the retainer service was the delivery of incident exercises for the client organisation’s executive team. The format of these exercises, and the thematics that they explored, varied throughout the period. The focus of this article is on table-top exercises conducted for the organisation’s executive leadership team.

The benefits of integrated exercising programmes

These exercises were not one-offs, but were instead conducted as part of a programme through the retainer. This reduced organisational overheads and enabled lessons identified to be carried across between exercises. It also enabled and encouraged a rotation of personnel through the exercises. At the executive level this meant bringing in deputies and supporting personnel, deepening ‘muscle memory’ at the institutional level as much as among key individuals. This is a key measure of the maturity of an organisation’s crisis response capability.

Another important aspect of this programme was that it was not solely focused on cyber threats. Tyburn’s work is premised on the recognition that adversaries will operate across the threat spectrum, and that it does not make sense for organisations to view security threats in isolation. As such, these exercises covered cyber threats, but they also covered physical and insider threats, as well as broader consideration of threats emerging from the information environment or supply chains.

A narrow focus on cyber incidents can give the impression that the threat and the response are purely technical. The breadth of focus in our exercises helped executives at the organisation to understand the political and geopolitical factors driving security threats. The client organisation was engaged in research activities that were a target for both domestic protesters and foreign state intelligence services, underlining the importance of a geopolitical perspective.

The threat from these different actors varies significantly, as does the appropriate response. Exercising across this spectrum enabled the organisation’s leadership to gain experience in responding to different threats, while simultaneously reinforcing underlying lessons around how to respond effectively to any incident. The specifics of the response vary, but key characteristics of what good looks like in crisis response are broadly applicable. This is how organisations can build a mindset of moving from exercising to genuine resilience.

Seeing the results in practice

Because Tyburn was both delivering the exercises and assisting in incident response, we were in the unusual position of being able to see how a programme of exercising affected the performance of executives in responding to real incidents.

A key risk in a real crisis is that carefully developed incident response plans will be undermined by inappropriate micromanagement of granular detail by executives. Division of labour is crucial during an incident. The risk is that the leadership team gets drawn into tactical and operational aspects of the response, rather than focusing on strategic guidance and downstream risks. 

The desire to get into the weeds is understandable given the stress of a security crisis. In other situations, people can valorise the hands on, detail-oriented CEO who leads from the front. However, in a crisis, it can severely undermine the organisation’s response if the leadership team becomes too involved in the wrong processes. Not only can this undermine and disempower the teams responding to the incident, it also absorbs capacity that should be directed towards the actions required of the leadership team. 

The result is that what can be termed the ‘decision space’ available to the organisation is reduced. Worse, this reduction is not (directly) caused by the adversary’s activities, but is largely self-inflicted. In other words, poor strategic management of an incident can exacerbate the damage and disruption caused by the adversary’s actions. In contrast, keeping the leadership team focused at the right level of decision making, over an appropriately strategic time frame, helps to keep that decision space open. As one observer has argued, exercising is

“necessary to build the implicit communication required to facilitate rapid decisionmaking in times of crisis.” 

Keeping the decision space open is harder in practice than in theory. Some of the required institutional muscle memory covers the management of information during an incident. This includes the unglamorous but critical set of capabilities that together ensure good meeting discipline during crises. Having and using an agenda, effective note taking, and ensuring follow-up on actions all sound like trivial tasks, but can be the first aspect of the incident response plan to be degraded in an actual incident. Exercising drives home why this activity matters, while increasing the number of people in an organisation who are familiar with performing these functions in stressful situations.

We found that regular exercising improved communication during a crisis. Some of this was external communication and engagement with stakeholders such as investors, regulators, and law enforcement. However, communication within the organisation was equally important. This included official crisis communications with key teams or across members of staff. Most notable was the improvement in communication within the leadership team and between the leadership team and operational incident responders. Regular exercising provided experience in understanding and communicating priorities, translating technical language into operational impact, and ensuring clarity in stressful situations.

Conclusion

Over the period of the retainer, through a combination of exercising and responding to real incidents, we observed a qualitative shift in the organisation’s crisis management capability. It was gratifying to see the executive team drawing on lessons learned in the safe space of an exercise to address similar threats during real incidents. Key to this improvement was the strengthening of the leadership team’s information management and communication skills. Over the course of the retainer we observed how the team proved better able to preserve the decision space open to key figures, enabling more effective management of strategic and downstream risks.

The results were appreciated within the client organisation. One senior figure referred to the cost of the retainer as “the best money we ever spent”.

Learning points:

  • It is more effective to conduct a programme of exercises than one-off ‘ad hoc’ exercises.

  • The exercise programme should be closely aligned with the organisational security function to ensure fidelity in threat scenario generation.

  • At the executive level exercise programmes should encompass the full range of security threats, including hybrid cyber-physical-insider threats.

  • Exercising is crucial to build institutional muscle memory around effective crisis response management

  • Preserving the decision space for senior leadership is crucial and takes practice.

  • An effective exercise programme can qualitatively strengthen an organisation’s ability to respond to crises.

Patrick M
Previous

Case study: cyber-informational exercising with the UK Armed Forces
Next

Case study: Millennium Challenge 2002 (Part Two)