Skip to main content

How are you practicing your Information Security incident response capability?


As the 2020 Tokyo Olympics closed this past weekend, I’ve been reflecting on the incredible physical, mental, and collective accomplishments of all Olympians. There have been countless human interest stories on the different journeys the athletes have taken over the last months, years, and decades to reach the Olympics – all with the common theme of striving for perfection through hours upon hours of practice and preparation.

With the likes of Solarwinds, Colonial Pipeline, Kaseya, Darkside, and REvil filling the major news cycles over the last year (not to mention the countless small businesses, municipalities and school districts who don’t make the national news cycle), ransomware and cyber attacks are no longer terms relegated to Information Security professionals.  This blog post sets out a vision of how business leaders and CISOs can take lessons from Olympians to elevate their teams and businesses for future success.


Know what you want to do at game time (have a plan)

No athlete or Olympian shows up under the lights by themselves with only a “let’s see how it goes” mentality. They have a network of coaches, trainers, teammates, supporters, etc. who have partnered together to get them to Tokyo with a clear vision of how they want to perform. And almost equally important, they each know their role in supporting the athletes and where they need to lean on each other – coaches who don’t listen to doctors and trainers may drive their athletes to injury, making them incapable of competing.

Creating an Incident Response Plan (IRP) that is based on your business strategy and your risk posture is the first step to being successful in weathering and overcoming a ransomware attack. Identifying the key stakeholders, establishing roles and responsibilities, and defining a set of steps and processes is foundational to all subsequent activities before, during, and after an attack.


Learn from others and continue to raise your own game

The world watched as Simone Biles made the self-aware and courageous choice to withdraw from the team all-around Gymnastics competition, opening the door for a Women’s Gymnastics competition that no one predicted. While much attention has been paid to Simone’s personal decision, an equally impressive (but not entirely surprising) outcome is that different US Gymnastics team members won medals in every individual event. I believe this is in no small part due to the impact of Simone Biles’ pushing the sport forward and the US team being able to observe, train with, and learn from Simone on their journey to Tokyo.

In the ransomware game, it is critical to review and revise your Incident Response Plan based upon threat intelligence, breaches of other companies, and input/suggestions from industry peers, consulting firms, and analysts. You may not want to (or need to) be the top performer in your industry and have a risk tolerance to match. However, being unwilling to interpret how the other players are showing up and adapt your own approach to incident response will absolutely leave you off of the podium.


Practice, practice, and practice again

Malcolm Gladwell came up with the 10,000 hour rule as a heuristic for what is required for mastery in any given subject.  I recently read that Katie Ladecky has swum over 600,000 miles since she was a little girl on her way to be one of the greatest swimmers of all time. Every time an athlete enters the pool, the court, or the field, they build a bit more muscle memory, refine their craft, and learn how to be better the next time. As spectators, we only see the results of these thousands of hours of practice for about 2 weeks every 4 years (5 years this time…thanks, COVID).

While 10,000 hours of practice may feel unrealistic for your IT and InfoSec organization, consider these questions: How much time has your organization spent over the last year “practicing” for a Security Incident, let alone a ransomware attack? When was the last time you and your teams conducted a simulated event (sometimes in the form of a table top or red team exercise) to make sure everyone knew what to do and was able to contribute their part?  How many team members have left or changed roles since that last simulation?  

Many companies have an IRP and a security team who are well aware of the threat landscape, but are unfortunately caught “flat footed” when hit with an actual ransomware attack because the plan wasn’t followed or the right people weren’t involved at the right times.  That’s why it is imperative to practice, practice, and practice again!

ImagineX Consulting helps our clients #BeBetter through cybersecurity and technology consulting services. We would love to help your organization practice for the worst so you’re ready to play in the event of a ransomware attack.

Mike Ellerhorst

Author Mike Ellerhorst

More posts by Mike Ellerhorst