It’s a new year, and you’ve got some ambitious goals for the next 12 months: Data Analytics, Identity and Access Management, UEBA, Zero Trust, SOAR. Exciting, big-ticket projects. But before you get all bogged down in the implementation of new six- and seven-figure tech tools, try this at your next staff meeting. Throw your team a disaster scenario curveball. A real doozy.
Ask them to tabletop – on the fly – a massive cyber attack that leaves your organization completely helpless, offline, reduced to paper and 4G phone service and text messaging, all happening on a day you’re out of the office and unavailable. Hand out index cards with very brief descriptions of the event as each might see it manifest in their area(s) of responsibility.
Sit back, and don’t say a word for 10 minutes. Time it on your smartphone. Resist the urge to answer questions – you’re out of the office and unreachable, after all.
Why? Because your team isn’t expecting the unexpected, not on this sort of scale, and not in their first meeting. You want to reinforce – from the very beginning of the year – that resiliency is more than something we build into systems and architectures. It’s something we practice as a team. It’s something we cultivate in ourselves, as security and risk management professionals. Stress brings out both the good and the bad.
What will happen? You’ll get a lot of staring: team members staring at you, at each other, at the floor.
Right away, some of your best and brightest will protest that this scenario can’t possibly happen, wouldn’t happen, shouldn’t happen. Eventually they’ll start to think about if it did happen… they’ll start to ask each other what’s on the cards, who knows what, who’s seeing what. Who can do what with what’s left.
At that moment you’ll start to see the wheels grinding together, and the conversation will begin in earnest. Some of your team, because of temperament or discomfort, won’t say a word. They’ll let the others run with the ball. Some of your team won’t be able to stop talking. They’ll feel compelled to fill the uncomfortable silence with thoughts, ideas, plans, actions. They’ll come across as confident (possibly overly confident) and sure of themselves. Others will occupy the middle ground, waiting for their opportunity to add value.
And that’s when you end the exercise. Not because you’ve arrived at a solution, or a consensus, but because you’ve made your team question the stability of your environment, their safety, their convictions. Starting off the year a little uncomfortable is not a bad way to get started.
Sean Steele is a co-founder and managing partner of Infolock. He has his CISSP, CISA, and CRISC certifications, and thinks everyone should know how to tie a nail knot in 30 mph winds.