I was invited to present the latest Sand Table™ Cyber Resilience Game at the High Technology Crime Investigator’s Conference in Anaheim, CA last week (HTCIA.org ). This conference features the latest tactics, techniques and technologies to defend networks against criminals and other cyber-adversaries. My presentation focused on how to prepare when those defenses inevitably fail.
Headlines are full of CEOs who step down and are fired. Or worse, hauled in front of Congress to explain why their networks have placed so many citizens at the feet of cyber-criminals. It is a BIG problem and not just for the IT guys. Cyber crime is a problem all they way up to the C-suite. The fact is, most companies, “Flunk Crisis Management 101.”
I presented the Cyber Resilience Game as a method to prepare for the inevitable penetration. When I surveyed the room, less than 30% of the participants had a formal Cyber Incident Response Plan. Only one person reported that they had PRACTICED the plan. This, I explained, is the problem. Because organizations lack relevant response plan, they will not know who to call, what to do to limit damage, how to manage the public information-sphere, what to say to stockholders and customers. In short, they are unprepared and vulnerable.
I set up two game boards in the room and invited people to play. The game is easy to learn and we established a dialogue in just 15 minutes. The Game is engaging, people immediately started playing and having some fun. I overheard comments like, “This is fun!” And “Let’s do something real.” People were eager to do something else besides another boring table top exercise!
As the games progressed, learning points came out. On one of the boards, a cyber-penetration occurred and a Value-Pog was taken. A Value-Pog is a game piece that represents an asset in a network domain. In this case, the Pog was ransomed and the Network Defender had to pay out. But to add insult to injury, the Network Defender had to determine recovery costs and negotiate insurance claims against the company’s cyber insurance policy. “This game really sticks in your head” said one participant. “This would be a great game to play with my boss!”
The Game promotes realistic dialogue and effectively brings out the issues you would need to deal with in a cyber-incident. Because it is a game, it engages participants and brings out situations in surprising ways, which is far closer to the way an incident like this really happens.
If you would like more information, give me a call at (425)919-5153 or email me at email@example.com
Latest posts by James Rollins (see all)
- Worried About a Cyber Incident? Here’s How to Prepare - October 8, 2017
- Training Pipelines: 7 Ways to get your training investment to stick - February 12, 2017
- Dialing 911: 5 Things You Should Know About Cyber Attacks - January 19, 2017