GUIDE

Cyber Response
Builder
Your Guide to Implementing a Successful
Cyber Response Strategy

CYBER RESPONSE BUILDER 1

 Your Guide to Cyber
Response Success
We help organizations around the world achieve the right level of
resilience, and that includes developing a robust cyber response
capability tightly integrated with your cybersecurity management,
incident management, IT disaster recovery, and business continuity
programs.

So, why does your organization need this additional layer of resilience,
especially if you already have an effective cybersecurity program?

Well, unfortunately, because attacks are growing in sophistication and

capability, and prevention alone is no longer enough. If fact, you don’t
even have be the intended target of an attack for your business to be
affected, as anyone in your supply chain that is attacked will impact
your business.

While your cybersecurity program can help you establish effective

controls to thwart an attack, you must also adjust your mindset to
the reality that even the best cybersecurity programs can’t stop all
attacks, so you need to be prepared. Effective cyber response is more
than just a technical response.

CYBER RESPONSE BUILDER 2

 cyber resilience (noun)
your organization’s ability to quickly

anticipate, adapt, respond, and recover

from a cyber attack

CYBER RESPONSE BUILDER 3

 Slightly more than half of the surveyed organizations said they do not have plans to
both prevent and respond to a cyber incident. Out of the 951 organizations that had
a response plan, only 32% said the plan was actually effective.
SOURCE: The Hidden Costs of Cybercrime Report | McAfee

DOES THIS SOUND FAMILIAR? THE TRUTH IS...

With cyber attacks impacting organizations all over the We’re no longer operating from a standpoint of “if” we may
world, we often hear combinations of the following worries fall victim to a successful cyber attack. We need to shift to a
from many of the CISOs and CIOs that we speak with: “when” perspective.

“It’s not a matter of if but when a successful cyber attack

disrupts my company, and I’m not really sure how we are SO, IF YOU CAN…
going to respond to minimize downtime and impact.”
Proactively build your cyber response capabilities to
“I am told we are ‘ready,’ but I haven’t seen concrete outputs anticipate, respond to, and recover from cyber attacks…
to really know how we would respond to an actual attack.
And worse, other senior leaders often ask about what they
THEN YOU WILL…
are expected to do during a cyber attack.”
Gain confidence in your organization’s ability to effectively
“I am confident about being able to technically respond, but
respond to and successfully recover from such an attack
I am not sure how to coordinate the response well across
in a way that minimizes the impact on your critical business
the rest of the organization."
services, customers, employees, key stakeholders, and the
If any of this sounds familiar, then you have gaps in your market.
approach to cyber resilience that will negatively impact your
Ready to get started? Let’s dive in.
ability to mitigate and respond to a cyber attack.

CYBER RESPONSE BUILDER 4

 Cyber Response Builder
Your Guide to Implementing a Successful Cyber Response Strategy

Build Create
Create Take
Level Set Response Competencies
Focus Inventory
Strategy + Confidence

01 02 03 04 05

CYBER RESPONSE BUILDER 5

01 Level Set
While all organizations are at risk of a successful cyber 5. Does your business rely on extensive data sharing
attack, that level of risk depends on a range of factors with other organizations, presenting additional risks
and varies from organization to organization. Likewise, associated with cyber attacks and data breaches?
the impact of a cyber attack on one organization can be
The applicability of these factors will impact your
more impactful to the customer or public in general when
organization’s level of risk and directly influence the level
compared to others.
of capability needed for your cyber response strategy.
Here are a few example factors that will impact your
So, level set at the start and consider these factors for
organizational risk level or impact severity:
your organization, along with your business goals and
1. Do you manage private, protected data – such as PHI, PII, environment, as you begin assessing the level of cyber
or PCI – where you must adhere to regulations around response capability you need to deliver resilience.
how that data is managed?
But, first, you must create focus.
2. Do you serve the public and have a social responsibility
to continuously operate – such as hospitals, banks, and
utilities – where, in extreme cases, a disruption may cause
loss of life? The impact of a cyber attack on one
3. Does your business model offer customers Service Level organization can be more impactful
Agreements (SLAs) with financial penalties? to the customer or public in general
4. Is your brand critical and valuable – where a disruption when compared to others.
would harm your reputation?

CYBER RESPONSE BUILDER 6

02 Create Focus
Not everything an organization delivers and does is equally 3. HOW much business continuity and cyber response
important or time-sensitive; certain products, services, and capability do we need?
supporting business processes are more important than
4. WHO should own cyber response and how does it fit into
others. That’s why you must prioritize creating focus on
existing information security and business continuity
what you need to protect first and foremost.
programs?
Engage leadership in a scoping and prioritization discussion
Once you narrow your scope, you need to assess when the
from the start (we call this a Frame meeting), use voice-
loss of these key products, services, and processes because
of-the-customer techniques, and as appropriate, talk to
of a severe but plausible event will result in catastrophic
regulators regarding impact and expectations.
consequences and pain for your organization, customers,
More specifically, gather the rest of your executive team in and the market.
the same room to get in sync on the answers to these four
Use this information to assess impact and set downtime
questions:
tolerances that reflect the level of risk you’re willing to
1. WHY should we invest in building a cyber response and accept. This assessment effort will influence your investment
recovery capability? strategies in your prevention, protection, and cyber
response efforts.
2. WHAT are we trying to protect in terms of important
business services, and what systems would make us
vulnerable if they experienced a cyber disruption?

CYBER RESPONSE BUILDER 7

 03 Take Inventory
Regardless of the level of cyber response maturity you decide
is needed in your company, most organizations have formal and
informal capabilities in place to respond. However, many have
never been tested and could be improved.

To get started, take inventory of your important business services

and underlying data by capturing the following information so you
can start uncovering gaps and hidden cracks that increase your
vulnerability. Map out:

 Technical and data dependencies to the in-scope products

and services defined in Step 2

 The types of data being stored and where (PHI, PII, PCI)

 The manual workarounds currently in place and the

consequences of using them

 External dependencies including 3rd parties and business

process outsourcers (BPO)

 Underlying data stores and their immutability and isolation from

production and disaster recovery environments

The question you’re trying to answer here is: Where do we have

our most significant exposure or vulnerability?

CYBER RESPONSE BUILDER 8

04 Build Response Strategy
Even if you know where your vulnerabilities are, you won’t be
cyber resilient if you don’t have an effective response and
recovery strategy in place. And this responsibility doesn’t
fall only on the IT team’s shoulders, as this is a business
responsibility. An effective response strategy includes
cross-departmental collaboration, as well as involvement
and investments from your leadership team,
key stakeholders, and partners.
The key elements for developing your cyber response
strategy, include:
 Ransomware Policies and Processes (including payment
capabilities if appropriate)
 Breach Assessment and Remediation Processes
 Evidence Collection and Documentation Processes
 Resolution and Business Recovery Capabilities and
Implementation Procedures (including alternate
processes and manual workarounds)
 Closure Process

 Important Business Services and Critical Asset Check out the Appendix for a detailed view of inputs to the
Identification (including impacts to identify gaps) key elements listed above.

 Crisis, Incident, Cyber and Security (if separate)

Response Teams Coordination
An effective response strategy includes
 Clear Roles and Responsibilities with Trained, Competent
cross-departmental collaboration, as
People (both leadership and technical)
well as involvement and investments
 Internal and External Communication Strategies
from your leadership team, key
 Third-party Engagement Approaches
stakeholders, and partners.

CYBER RESPONSE BUILDER 9

05 Create
Competencies
+ Confidence
Competent people are essential to a successful response.

Role-specific and team training programs are essential, as

are exercises that work to closely to resemble an actual
cyber response. Putting both leadership and technical
teams through real-life scenarios is the best way to create
key competencies and reinforce key actions through trial
and error in a safe environment, while also highlighting
vulnerabilities and opportunities for improvement.

Beyond exercises focused on building skills and experiences,

technical tests that focus on successfully recovering
applications and data are essential as well.

Collectively, training, testing, and iteration not only creates

competencies and capabilities, but it also creates a third
“C”: confidence.

CYBER RESPONSE BUILDER 10

CYBER RESPONSE ASSESSMENT

Let’s level set on the current state of your organization’s cyber response capability.
Can you confidently and honestly respond “Yes!” to the following statements:

I have defined which players are required to be on the field and when, spanning Crisis/Incident Management,
1. YES NO
Security, Data Protection, Business Continuity, IT Disaster Recovery, and Cyber Response teams.

I have defined, documented, and assigned clear roles and responsibilities with trained, competent people
2. YES NO
(across both leadership and technical resources).

3. I have clearly assigned designated authority to act. YES NO

4. I have defined, documented, and tested internal and external notification strategies and capabilities. YES NO

5. I have defined, documented, and tested third-party engagement approaches. YES NO

6. I have defined, documented, and tested cyber insurance and law enforcement engagement approaches. YES NO

7. I have defined, documented, and tested processes to capture and retain evidence. YES NO

8. I have defined, documented, and tested processes to assess and contain the breach. YES NO

I have defined, documented, and tested processes to effectively recover business operations across the
9. YES NO
organization (even partially), including alternate processes and manual capabilities.

I have seen concrete results across all risk disciplines that prove we are ready to respond and recover, and I am
10. confident in reporting our position with supporting data to the Board showing we are fully capable of quickly YES NO

and completely responding to a cyber attack.

If you can’t confidently and honestly respond “Yes!” to the 10 questions above, book a meeting with our team today. We can help
you quickly identify the hidden vulnerabilities in your current cyber response capabilities and define a clear path to close the gaps.

CYBER RESPONSE BUILDER 11

 We Can Help
We help organizations around the world achieve the right
level of resilience, and that includes developing a robust
cyber response capability that’s tightly integrated with
cybersecurity management, crisis/incident management,
IT disaster recovery, and business continuity programs.

We can help you:

 Understand where you are today with your cyber

response readiness and preparedness, explore where
you need to be in the future, and define a clear path to
bridge that gap.

 Get real results by building your cyber response

capability and inspiring confidence in your organization’s
ability to successfully respond to and recover from a
cyber event.

Ready to get started? Book a meeting with our team today.

BOOK A MEETING

CYBER RESPONSE BUILDER 12

APPENDIX

DETAILED VIEW – BUILDING RESPONSE STRATEGY

An effective response strategy includes cross-departmental collaboration, as well as involvement and

investments from your leadership team, key stakeholders, and partners.

Here is a detailed view of the key elements necessary for developing your cyber response strategy:

Important Business Services
and Critical Asset Identification
(including impacts to identify
gaps)
 Identify critical business services (internal and external delivering services to
customers)
 Identify threats and vulnerabilities
 Access the impact of disruption (BIA)
 Prioritize risks (plausible, severe, and extreme)

Crisis, Incident, Cyber and  Incident Response Procedures

Security (if separate) Response  Teams coordinated and aligned
Teams
 Escalation, decision making, and authority
 Identification and Reporting Criteria (Log everything)

Internal and External  Stakeholder Communication Process and Messaging

Communication Strategies  Media (social and press) and PR management
 Legal - Identify your legal obligations regarding the reporting of incidents to
regulators and management of a privileged incident

CYBER RESPONSE BUILDER 13

APPENDIX
Ransomware Policies and
Processes (including payment
capabilities)
Breach Assessment and
Remediation Processes
Resolution and Business Recovery
Capabilities and Implementation
Procedures
Closure Process
CYBER RESPONSE BUILDER 14
 Negotiation capabilities (internal or external)
 Engage cyber insurance provider
 Law enforcement engagement
 Stakeholder communication process, messaging, and decision-making process
 Forensics capability
 Triage (understanding the type and severity of an incident)
 Categorization of breach (malicious code, DoS, phishing, unauthorized access,
insider, data breach or targeted attack)
 Breach Containment and mitigation capability
 Analysis and monitor (attacker may react to your actions)
 Confirmation of threat removal
 Playbooks and cyber recovery technical runbooks
 Business continuity plans and ITDR plans
 Return to BAU testing and sign-off
 Legal, regulatory, and law enforcement process closure
 Major Incident Management, Incident Management, and Cyber Recovery
post-mortem
 Document everything
 Now you’re ready.
TM

As the largest provider of business continuity and operational resilience management

solutions – spanning consulting, software, managed services, and staffing – Castellan is
uniquely positioned to help clients find the right balance of risk tolerance and resilience to
protect their employees, brand, and bottom-line. Leveraging a proprietary proven process
for driving business continuity success, Castellan partners with clients to establish a clear
vision, drive real results, and provide on-going support from their community of business
continuity experts. Castellan helps clients replace uncertainty with confidence.

For more information, visit castellanbc.com.

CYBER RESPONSE BUILDER 15