Normal view

There are new articles available, click to refresh the page.
Before yesterdayMain stream

When a cyberattack hits, breakdowns inside the organization may be as dangerous as the hackers themselves

✇All News – Federal News Network
By: Terry Gerton
19 November 2025 at 13:30

Interview transcript:

 

Terry Gerton Cytactic has just published a report, the State of Cybersecurity Incident Response Management. Let’s start with the headline: Seventy percent of cybersecurity leaders say internal misalignment causes more chaos than the hackers themselves. Tell us what that means. What kind of misalignment? What kind of incidents? Why is that the most surprising finding of your report?

Josh Ferenczi Absolutely, I’d love to. So first of all, let’s just appreciate the finding. I think it’s absolutely stunning to hear from practitioners who say that misalignment is much more concerning and creates much more of the chaos or disruption than the threat actors themselves. I think that the security industry broadly is familiar with the concept of FUD, right? Fear, uncertainty and doubt. And there’s so much focus on these threat actors. There’s a cost to that, and the cost is that we forget about our own people. And when we see that there’s misalignment, actually, misalignment is the core issue. It strikes home the idea that people, it returns us to people. And there are three different ways I want to take that. The first one is that culture eats strategy for breakfast, right? It’s a famous quote that we’ve heard, and it really focuses us around our people. Understanding that in an incident, when you’re managing an incident, there are going to be different stakeholders involved. It’s not just going to be a security function investigating the incident. You’re also going to have legal teams who are evaluating disclosure obligations, contractual requirements for service agreements, and different other legal requirements. There will be IT and operation teams who are focused on restoring operations, bringing backups live, doing IT and ops work. You’re going to have PR and communication teams who are focused on the narrative, on the reputation, on interacting with the public and the press. And so you end up having all of these different teams and all of these different stakeholders who have to work together. And for most organizations, it might be the first time that these people are working together. It’s not a part of their day-to-day routine for the general counsel and the CISO or the VP of communications to work with the head of IT, and all of a sudden they have to. And not only do they have to work together in an environment or a workspace that they’re not accustomed to working together, but there’s this incredible amount of urgency and this intense pressure in the room, in the office, in the organization because of the incident itself. And all of that sort of joins together to cause this recipe for misalignment and for chaos. And what that ends up looking like is teams or squads are formed to respond to a particular event. It’s chaotic or it’s misaligned because they’ve never worked together. Another aspect of it is they speak different languages. There’s this emphasis on language being very different. For example, the CISO and the security team may use terminology like “TTPs,” which are tactics, techniques, and procedures. They may be using language like “IOCs,” which are indicators of compromise. And this language is foreign to people on the legal team, who maybe think of things as evidence instead of IOCs, or think about materiality instead of impact. And you can run the gamut across all of these different stakeholders using different language. And all of a sudden you’re caught in this Tower of Babel, essentially, scenario where all of these different teams have to work together to get to the top, but we speak different languages. So the first one is people; they’re not used to working together, they don’t know each other. The second one is they use different languages, so they can’t get on the same page, furthering the misalignment or the chaos. And the third one is really decision authority. It’s the first time that the organization is going to take some of these decisions. These aren’t decisions that they’re used to. For example, should we bring down the IT system in question in order to begin an investigation on the system? Or should we keep the system running as business as usual in order to keep operations running? So that’s an interesting trade-off. Because on the one hand, if I bring the system down, I can cause business damages. In a sense, I alert my customers or my supply chain that a system is no longer available. But on the other hand, I want to investigate the system. I need to find out what’s happening. So there are all these tricky decisions, and it’s not really clear inside an organization whether or not they know who takes these decisions. What’s the right process for taking the decision? Who is the ultimate decisor? What checks or what considerations do we need to take with other teams before we take the decision? And that also creates a lot of misalignment and chaos. So in a sense, it’s people, it’s language, and it’s decisions.

Terry Gerton It’s a really helpful framing. I’m speaking with Josh Ferenczi. He’s the head of the innovation lab at Cytactic. One of the other features that caught my eye is that most of these companies and government agencies have cyber incidence response plans, but those response plans go out the window almost immediately. And in the military we used to have a saying that “no plan survives first contact with the enemy.” What are you finding here, in terms of how agencies and companies can use that response plan and actually leverage it as opposed to saying, “Oh, well, we had a plan, but now we have to do something different.”

Josh Ferenczi  It actually reminds me of a Mike Tyson quote that says, “Everyone has a plan until they get punched in the face.”

Terry Gerton Same idea.

Josh Ferenczi And exactly, it’s the same idea, and incident response is very much like that. Some organizations have incident response plans, but there are several problems with their plans. The first problem we encounter is that their incident response plan is usually on paper. It’s a paper document. And this file, whether or not it’s printed as a backup copy, is very difficult to use during the incident. It’s very difficult to flip through these pages. What pages are relevant for this team? What pages are relevant for that team? So it’s not dynamic; it’s basically a very difficult tool to use during response. The second issue with traditional incident response plans is that most of the time it hasn’t really been worked on for a large span of time before the incident. Maybe the plan was prepared a year ago, it was prepared six months ago, the person who prepared it is no longer here with us at the organization, they haven’t updated it, they’re using an old version. So it’s not continuously being refreshed or tuned for the organization. That’s a second issue with traditional incident response plans. And a third issue that incident response plans have is that they’re static. So you have a plan for what you’ve prepared it for, but most of the time the incident looks different. The incident looks unique, it has its own traits. And the plan you’ve prepared is not prepared for this incident. So what ends up happening is teams quickly lose faith. Or they lose trust in the plan itself, they toss it to the side and they start improvising. You don’t really want to be in a room with a bunch of executives who are improvising for the first time under a tremendous amount of urgency. So traditional incident response plans are scoured with issues. And part of what organizations need is a technological system, something that is dynamic, something that is adaptive, something that is able to receive information and change the plan as it goes, much like a consultant would do with you in the room, right? You would sort of aggregate the facts of the situation, you’d share them with an advisor, and you’d ask the advisor to share advice on what to do next. And as information changes, of course the advisor’s guidance is going to change. It doesn’t stay the same. And that’s what we need with our plans. We need our plans to be able to change as the incident unfolds. One of the challenging parts of managing incident response is that information kind of trickles in day by day. You don’t have the full picture on day one. And what do you do to respond when you only have part of the picture? You only have part of the information. And every day or every week you unfold more and more of this information. So you need a plan that’s able to guide your team, that’s able to bring these stakeholders together, that’s able to orchestrate people who don’t speak the same language in a dynamic fashion.

Terry Gerton For government leaders who are just turning in to our conversation, what’s one thing about this report that should change how they think about cyber incident planning? Like, starting immediately?

Josh Ferenczi The first thing I would say is that organizations would really benefit from deciding, in a sense. It’s taking the decision of who is going to be my team when we respond to an incident. And getting this team familiar with themselves, with each other. Many times we sort of rush, organizations rush into a tabletop exercise, sort of a scenario. And let’s see how we manage this scenario. But I would take a step before that, just to get the team used to each other. Introductions; if you can, make some cadence of touch points between them throughout the year so that they regain familiarity with each other and their working methods. I think this is number one. It’s essentially build your team and get your team familiar with one another. The second thing they can do from a point of readiness is begin to assign those team members their roles and their responsibilities in the incident itself. So you can start to think about what are going to be, let’s say, the top two or three action items for each of these team members? They should know that they will be the ones responsible for these action items, and they should be able to know who they need to consult with. Who do they need to work with for those action items? So first I would say build your team, get your team familiar with each other. Second, I would say assign roles and responsibilities. And at that point is when I would begin to open the situation up: Okay, now that we have the team and we have our roles and responsibilities, what are those key scenarios that we need to be prepared for? Because those key scenarios have an outsized impact on our work, or our ability to do what we’re supposed to do. And what that does is all of a sudden it turns our readiness or our tabletop exercise into something that’s risk-tuned, into something that’s specific to what I consider important. And if you get those three things together, I think it’s a great start to your readiness.

The post When a cyberattack hits, breakdowns inside the organization may be as dangerous as the hackers themselves first appeared on Federal News Network.

© The Associated Press

A video monitor, when active, shows the threat level to the nation's infrastructure in the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Wednesday, Aug. 22, 2018. The center serves as the hub for the federal government's cyber situational awareness, incident response, and management center for any malicious cyber activity. (AP Photo/Cliff Owen)
❌
❌