Meanwhile getting good status reports will be difficult, in part becasue no one knows what’s important. Expect middle managers to ask for irrelevant information like how many servers are back up. “One of the challenges you’re going to have a subordinate level is reading between the lines of what is management trying to accomplish,” he said.

Among his pieces of advice:

–When you think you’re over your head, the scope is more than you can handle in a day or it will cost a lot to recover that’s point to make a preliminary report to senior management. It should include what you know, what you don’t know, what is understood about the attacker, what will be required to stabilize the situation, what required to resolve the situation, what help should be called in immediately to start the response’

–figure out what management needs to know. It will help to make a chart that says what IT’s goals/milestones for recovery are and how far you are right now in achieving it;

–if you have to quickly write an RFP to hire a third party for help and are unprepared, don’t be afraid to ask them for help on the terms. A good contractor will understand your situation and say, ‘Here’s what you should be asking of me.’ Better that than a poorly drafted RFP;

–money is your friend – in fact it may be the only resource that is easily obtained. Money can buy resources, expertise, free up your staff, buy service to get business restored;

–take care of your people. (In fact, he says, if possible use HR or other staff while they wait for their systems to come back online.) They’ll need backup relief, food, daycare, dry cleaning. Make sure they don’t burn out, so establish work schedules and enforce them;

—-there will be a tension between security and IT that has to be managed. IT wants everything up. Security wants everything locked down. Manage this by “maximum allowable risk” doing things ‘quick and dirty’ and then build from that to getting back to full operating capacity.

There are five factors in crisis operations, he said: Plan (you have to have a plan to get an organization to do something, otherwise you’ll be paralized); Process (need processes for co-ordination and communication. Perhaps a war room). Prioritization (you can’t do everything at once. What goes up first: Operations, infrastructure, contingency systems, communications?) Parallelism (put all available resources to productive work); Sequencing (have to get the network up before the virtual machines).

In an interview Williams said the worse mistake organizations make in a crisis is not bringing in help. “They chose not to get help either because they don’t know exactly what they need or subordinates are scared to ask because they know it will cost money or will take work.” Instead they try to work through the crisis, miss goals and the recovery falters.

But he also said the CEO, CIO and CISO have to work together to keep business, IT and security recovery risks balanced. A good compromise, he added, is when all three are equally dissatisfied with how the recovery is going, because it’s likely the three areas are balanced.

Above all, he said, “Think about crisis planning now, before it’s a crisis.”

Related Download
Sponsor: F5
The present and future of application protection
This white paper looks at how security measures must be enhanced to ensure apps are secured everywhere, the investments organizations must make, and why security needs to be more focused at the application level.
Register Now