Up next in 10
Secure Our World: Mastering the Fundamentals of Incident Resilience
Oct 13, 2025
We clarify the distinct but coordinated roles of Incident Response (IR) Plans, Disaster Recovery (DR) Plans, and Business Continuity (BC) Plans, which together form a resilient defense system against modern disruptions. This episode details the foundational controls essential for organizational readiness, emphasizing cyber hygiene basics like Multi-Factor Authentication (MFA), timely patching, and establishing isolated data backups. Drawing on NIST and CISA guidance, we break down how effective planning and regular exercises transform chaos into a structured, continuous improvement cycle for security. https://irmaturityassessment.com (https://irmaturityassessment.com/) Sponsor: www.cisomarketplace.com (http://www.cisomarketplace.com)
View Video Transcript
0:00
cyber security preparedness. It's really
0:02
not just an IT task anymore, is it?
0:04
Something you hand off and just hope
0:05
works out.
0:06
No, not at all. It's fundamentally
0:08
shifted. It's now an operational
0:09
survival strategy,
0:11
right,
0:11
for the whole organization,
0:12
right? And today we're doing a deep dive
0:14
into some really critical guidance on
0:16
this. We're pulling from CISA, that's
0:19
the Cyber Security and Infrastructure
0:21
Security Agency, and also from experts
0:23
advising, interestingly, the judicial
0:25
system,
0:26
all focused on one core idea. How do
0:29
leaders you whether you're running a
0:31
small shop or a huge company actually
0:33
build genuine cyber readiness?
0:36
Exactly. And our mission today is well
0:39
to take those cis cyber essentials which
0:41
can be a bit dense and those detailed
0:43
incident response frameworks.
0:45
Yeah, they can be a lot.
0:46
They can boil them down. We want to
0:47
focus specifically on the non-technical
0:49
foundations leaders must lay down
0:51
because the sources are crystal clear.
0:54
surviving modern attacks, things like
0:56
ransomware or massive DOS events,
0:59
the really nasty stuff.
1:00
The really nasty stuff. It isn't just
1:02
about having the fanciest firewall. It's
1:04
about culture. It's about planning.
1:07
Cyber risk isn't isolated anymore. It's
1:08
a holistic threat.
1:10
It's everything. Operations, reputation,
1:12
customer trust,
1:13
your bottom line, even your
1:15
organization's basic survival. It's that
1:17
serious now. And look, as we talk about
1:20
the investments needed for this, the
1:22
planning, the tools, we really want to
1:24
thank our sponsor. When leaders like you
1:26
need to invest in the right cyber
1:28
security capabilities, the place to find
1:30
those specific tools and services is
1:32
www.somorarketplace.com.
1:35
A great resource for exactly these kinds
1:37
of challenges.
1:38
Let's unpack this then. If we accept
1:40
that readiness starts at the top, that
1:42
it's cultural, what's the absolute first
1:45
step, the maybe hardest thing a leader
1:47
needs to do?
1:48
It really starts and honestly it ends
1:50
with a leader, with you. Your main job
1:53
here is driving the strategy, getting
1:55
the budget, and then rigorously
1:58
enforcing that culture of security.
1:59
And you don't need to be a tech wizard
2:00
to do this.
2:01
Absolutely not. Being a cyber leader
2:03
isn't about coding or network diagrams.
2:06
It's about having the uh the political
2:09
will really to drive change to make sure
2:12
everyone is aware across every single
2:14
department.
2:15
So leading the investment not just in
2:17
shiny new tech but
2:19
but crucially in continuous training
2:22
awareness programs for every single
2:24
person on the payroll. That human
2:26
element is key.
2:28
That brings us right to the staff,
2:29
doesn't it? The sources we looked at
2:31
consistently point to the users, the
2:33
people actually clicking things as well
2:35
often the first line of defense,
2:37
sometimes the weakest link.
2:38
Precisely. You can have the best tech
2:40
stack in the world, but one wrong click
2:42
on a malicious link
2:43
and you're compromised.
2:44
So, the training needs to be different.
2:46
Exactly. It needs to shift from just,
2:48
you know, informing people to actively
2:49
changing their behavior. It can't just
2:51
be that once a year PowerPoint
2:52
clickthrough anymore,
2:53
right? Like cyber hygiene.
2:55
That's a perfect analogy. Like
2:56
handwashing. Yeah. You're not just
2:58
teaching what fishing is. You're
2:59
building a habit of vigilance, of
3:01
skepticism,
3:02
and reinforcing it constantly. Testing,
3:04
policy, adherence, the whole package.
3:06
Okay. Culture and people are
3:08
foundational. Let's shift to some
3:10
concrete actions. What are those
3:12
immediate high priority technical things
3:15
leaders can mandate maybe without
3:18
needing a giant consulting project?
3:20
Yeah, there are some basics outlined by
3:22
CS that are just essential. We can group
3:23
them into three steps around inventory
3:25
and access. First, learn what is on your
3:28
network.
3:29
Simple, but crucial.
3:30
It sounds simple, but it's often
3:32
overlooked. You absolutely cannot
3:34
protect what you don't even know you
3:35
have. This means keeping up-to-date
3:38
inventories, hardware, software, all of
3:41
it.
3:41
Especially with shadow IT and cloud
3:43
services all over the place now.
3:44
Exactly. You need to know what's in
3:47
play, as they say, and therefore what's
3:49
actually at risk. What's your attack
3:50
surface?
3:51
Okay. Know your battlefield. That's step
3:52
one. What about the people on that
3:53
battlefield? Step two. Step two, learn
3:56
who is on your network. Inventory all
3:58
connections, not just employees, but
4:00
vendors, partners, remote workers,
4:03
everyone. And then this is probably the
4:04
single biggest technical impact a leader
4:07
can mandate implement multiffactor
4:09
authentication.
4:09
Yeah. FA
4:10
for everyone. You start immediately with
4:13
the privileged accounts, admins,
4:15
remote access users because they hold
4:17
the keys. Yeah.
4:18
But ultimately, everyone needs it. No
4:20
MFA, it's like leaving the front door
4:21
wide open. Seriously,
4:22
MFA is huge. foundational, but I imagine
4:26
rolling that out across a big complex
4:29
organization that's a major lift
4:31
culturally and logistically. What's the
4:33
push back?
4:34
Oh, absolutely. It's inertia. It's
4:36
perceived inconvenience. It takes too
4:37
long. It's annoying. But you have to
4:39
weigh that against a catastrophic
4:40
ransomware attack.
4:42
No comparison, right?
4:43
None. Leaders have to frame MFA not as
4:45
optional, not as a suggestion, but as a
4:48
core operational requirement tied to
4:50
policy. You can't log in securely. you
4:52
can access the systems. Period.
4:54
Tough but necessary. Okay. And step
4:56
three, you mentioned access control.
4:58
Yes. Strict access control. This is
5:00
often called the principle of lease
5:01
privilege. It's vital.
5:02
Explain that simply.
5:04
Think about keys to your house. You give
5:05
the house cleaner a key to the front
5:07
door. Maybe you don't give them the key
5:09
to your safe,
5:10
right? Makes sense.
5:12
Same idea. You restrict access and admin
5:14
permissions based purely on what someone
5:16
needs to do their job. Need to know. If
5:19
the marketing team doesn't need to
5:21
change firewall rules, they don't get
5:23
permissions for that. It minimizes the
5:25
blast radius if an account does get
5:27
compromised.
5:28
Okay, this is where it gets well really
5:30
interesting and frankly a bit
5:31
terrifying. If we operate on the
5:33
assumption that a breach, especially
5:36
sophisticated one, might be inevitable,
5:38
which is a safe assumption these days,
5:40
right? Attackers only need to succeed
5:42
once. So, what's the absolute lynch pin
5:45
for survival? The most critical asset.
5:47
It's got to be the data, right? and
5:49
getting it back.
5:49
It is absolutely the data, your IP, your
5:52
customer data, your financial records,
5:53
your operational plans. That's the
5:56
lifeblood. Recovery has to start there.
5:58
So, how do we ensure data survival
6:00
according to these frameworks?
6:02
Two core elements come through loud and
6:03
clear. First, you must inventory
6:06
information assets. This goes beyond
6:08
just knowing your hardware. You need to
6:09
know what sensitive critical data you
6:11
actually have, where it lives, where it
6:12
moves, is it on prem, in the cloud,
6:15
both.
6:15
Know what you have, where it is. Got it.
6:18
And the second piece, the what if it all
6:20
goes wrong plan,
6:22
that's multi-level redundancy with
6:23
backups. The CISA guides, the judicial
6:26
advice, they're all unequivocal on this.
6:28
Even the best defenses can be breached.
6:30
Your entire contingency, your ability to
6:33
not pay a ransom hinges on recovering
6:35
systems and data from known accurate
6:38
backups.
6:39
If you can't restore, you're basically
6:41
stuck. You pay or you potentially fold.
6:44
That's the stark reality.
6:45
And the sources were really specific
6:47
here. Just having a backup isn't the end
6:49
of the story anymore. They talked about
6:50
advanced security for the backups
6:52
themselves.
6:52
That's right. It's not enough to just
6:54
run a backup job. You need regular
6:55
automated backups. Sure, redundancy. But
6:57
the critical piece, especially against
6:59
ransomware, protecting the backups
7:01
themselves.
7:02
Ah,
7:03
encryption is table stakes. Physical
7:05
security for any tapes or drives.
7:07
Yeah.
7:08
And the absolute non-negotiable
7:10
offline copies, what we often call
7:13
airgapped storage.
7:14
Okay. Explain airgapped for a leader who
7:16
isn't deep in IT. Why is that separate
7:19
isolated copy so vital?
7:21
Think of it as your fireproof fault,
7:23
completely disconnected from the main
7:24
building. Sophisticated attackers know
7:27
about backups. They actively target
7:30
them. They'll try to encrypt or delete
7:32
your online backups right after they hit
7:34
your main systems.
7:35
So they cut off your escape route.
7:37
Precisely. An airgapped backup one
7:39
that's physically disconnected or
7:41
logically isolated with network controls
7:44
so stringent it might as well be is the
7:46
only way to guarantee they can't touch
7:47
it. When your network is burning down,
7:49
if that backup is safe in its vault, you
7:52
still have a path to recovery.
7:54
That's a powerful image. The sources
7:56
also mention long-term retention.
7:58
Keeping backups for months. Why so long?
8:01
It's because of dwell time. The
8:03
detection gap. Attackers can be inside
8:04
your network for weeks, months,
8:07
sometimes over a year before they
8:08
actually pull the trigger on the
8:09
ransomware or start stealing data.
8:11
Wow, that long.
8:12
Oh yes. So if your backup cycle is only
8:15
say 30 days, you might just be backing
8:18
up systems that are already compromised.
8:21
You need retention going back several
8:23
months ideally. So you can restore to a
8:25
point in time before the initial
8:26
intrusion happened, a clean state.
8:29
Okay, so that's the preparation side.
8:31
Now let's shift gears. What happens when
8:33
the alarm bells do go off? Active crisis
8:35
response,
8:36
right? The moment of truth.
8:37
The sources give us a really clear
8:39
framework for this. Sometimes called the
8:41
ABCs of cyber security incident
8:43
response. It stands for assess, block,
8:46
collect, and disseminate.
8:47
ABC's. Okay, sounds manageable. When
8:50
that first alert hits, what's the focus
8:52
under assess, and block?
8:53
First up is assess. You need visibility.
8:56
Use your logging and monitoring tools,
8:58
hopefully automated, to figure out the
8:59
scope. How bad is it? What's affected?
9:01
And the logs themselves are critical
9:03
here.
9:04
Absolutely critical. Think of them like
9:05
an airplane's black box. But crucially,
9:08
those logs must be stored securely,
9:10
tamperresistant, and ideally isolated
9:12
from your main production network.
9:14
Why isolate?
9:15
Because attackers know logs track their
9:17
movements. A primary goal for them is
9:19
often to delete or alter those logs to
9:21
cover their tracks. If your logs are on
9:23
the same compromised network, they're
9:24
gone. Secure off-network storage is key
9:27
for forensics.
9:28
Makes total sense. Secure the evidence.
9:30
Then fast reaction block. Containment.
9:33
Containment is everything in those first
9:35
minutes and hours. Limit the damage. If
9:37
you suspect ransomware, the guidance is
9:39
often stark. Disconnect the affected
9:41
machine. Pull the network cable. Isolate
9:44
that segment of the network immediately.
9:47
Don't wait. Just cut it off.
9:48
Don't wait. You have to stop the
9:49
bleeding. Prevent data excfiltration.
9:51
Stop the spread across other systems.
9:53
Fast recognition. Rapid isolation. That
9:56
could be the difference between losing
9:57
one machine and losing the entire
9:58
company.
9:59
Okay. Contained. Now what? Collect. This
10:02
sounds like forensics. What does a
10:04
leader need to understand about
10:05
collecting evidence?
10:06
It means preserving the digital evidence
10:08
in a way that's legally sound. Think
10:11
chain of custody. Making sure data isn't
10:13
altered. You need to understand what
10:15
happened, the type of attack, where it
10:17
came from, how long it lasted, which
10:19
systems were hit. This isn't just for
10:21
fixing things. It's crucial for legal
10:24
action. insurance claims, understanding
10:26
your vulnerabilities, you're building
10:28
the case essentially.
10:30
And there's a legal dimension here, too.
10:32
The sources specifically warned against
10:34
what was it? Hacking back.
10:36
Yes, absolutely. Critical point. Under
10:38
US law, you must never hack back.
10:40
Even if you think you know who attacked
10:42
you, trying to access their systems,
10:44
even to retrieve data or retaliate, is
10:46
illegal. It constitutes unauthorized
10:48
access. You have to rely on law
10:50
enforcement. Period.
10:51
Good warning. Okay, the final step.
10:53
Disseminate. Communication.
10:55
This often seems like where companies
10:57
stumble publicly. Why is speed and
10:59
transparency so important even if you
11:01
don't have all the answers yet?
11:02
Because trust evaporates quickly,
11:04
especially now. Rumors fly, social media
11:07
lights up. You lose control of the
11:08
narrative almost instantly if you stay
11:10
silent.
11:10
So, get out ahead of it.
11:12
Get out ahead of it early. Proactive
11:14
communication is vital. Acknowledge the
11:16
incident. State what you know honestly,
11:18
even if it's incomplete. Explain what
11:20
you're doing about it. Provide a
11:21
timeline for updates. Having a single
11:24
authorized spokesperson is key. It
11:26
prevents mixed messages and helps
11:28
preserve that public trust. And frankly,
11:31
trust is often harder to rebuild than
11:33
your servers. And it's not just about
11:35
PR. There are serious legal teeth here.
11:38
Absolutely. Many places have laws with
11:40
strict timelines for notifying people if
11:42
their data might have been compromised.
11:44
Failure to safeguard data, failure to
11:46
notify promptly, that brings statutory
11:48
penalties.
11:49
We saw that emphasized in the materials
11:51
related to court systems. They have very
11:52
specific federal and state breach
11:54
notification rules. These aren't
11:56
suggestions. They're are legal
11:58
requirements with potentially hefty
11:59
fines for delays. We're talking hours
12:01
sometimes, not days or weeks.
12:03
Okay, this is complex stuff.
12:04
Implementing robust MFA, designing those
12:07
secure airgapped backups, getting the
12:10
logging right. If you're leading this
12:12
strategy and need to find the right
12:14
technology partners or specific services
12:16
to make these CSA essentials a reality,
12:19
that's where our sponsor comes in. Check
12:20
out the resources at
12:22
www.seomarketplace.com.
12:25
Exactly the place to find those
12:27
solutions. All right, let's talk about
12:28
the final piece of the puzzle. Testing,
12:30
training, and exercise.
12:32
Tiny.
12:33
Ah, yes. The drills. Sometimes feels
12:36
like homework. Maybe
12:37
leaders might see it as a cost. Yeah.
12:39
But the source materials treat it as
12:41
absolutely essential. Like insurance you
12:43
hope you never use, but you must have.
12:46
An incident response plan sitting in a
12:48
binder is useless. It needs to be muscle
12:50
memory.
12:51
And the NIS materials we looked at broke
12:52
down the types of exercises nicely. Good
12:55
for leaders figuring out where to start.
12:57
First, the tabletop exercise,
12:59
right? Tabletops are discussion based.
13:01
You get the key people in a room. Could
13:02
be two hours, could be a full day with a
13:04
scenario. Maybe it's that fishing attack
13:06
that turns into ransomware.
13:07
And you just talk it through. You talk
13:08
it through. What's your role? What does
13:11
the plan say you do? What communication
13:13
happens? Who calls who? It's very
13:15
cost-effective for just validating the
13:17
plan itself.
13:19
Does it make sense? Do people know their
13:21
part?
13:21
Okay, that tests the plan on paper. What
13:23
about testing the actual execution, the
13:26
tech, the people under pressure? That's
13:28
the functional exercise, right?
13:29
Exactly. Functional exercises are
13:31
hands-on. You actually simulate the
13:33
incident. Maybe you do take a a system
13:35
offline. You make people use the backup
13:38
communication channel so they perform
13:39
their actual response duties in a
13:41
simulated environment.
13:42
Sounds more involved.
13:43
It is. It can last hours or even days,
13:46
but it provides that invaluable hands-on
13:49
practice. Can we actually restore from
13:51
backup? How long does it really take? Do
13:53
the emergency procedures work?
13:54
And the big benefit here, maybe beyond
13:56
just the practice, is that these
13:58
exercises give you hard data, proof
14:00
points for investment.
14:01
Absolutely. They expose the gaps in a
14:03
way nothing else can. If your tabletop
14:06
says backups are secure, but the
14:08
functional exercise shows it takes three
14:09
days to restore critical systems. Well,
14:11
that justifies the budget request for a
14:13
better backup solution.
14:14
Or if staff can't find the paper forms
14:16
when the network is down.
14:17
Exactly. It highlights training needs,
14:20
process flaws for those critical
14:23
functions like court arraignments or
14:25
protective orders mentioned in the
14:26
judicial guidance. Exercises prove you
14:29
can maintain operations even if the
14:31
digital systems fail. Yeah,
14:32
that's real operational continuity.
14:35
So, wrapping it up for the leader
14:36
listening, what's the bottom line? Cyber
14:38
readiness needs tech investment, sure,
14:40
but it seems like the real core is
14:42
strategic leadership, driving that
14:44
culture change, demanding proactive
14:47
planning, and then testing it all
14:49
relentlessly.
14:50
That's it in a nutshell.
14:51
We've covered a lot today, really
14:52
digging into building cyber resilience,
14:54
focusing hard on what leaders need to
14:56
own. The key takeaways for you seem
14:58
pretty clear. You have to drive the
15:00
investment both financial and cultural.
15:02
You absolutely must prioritize robust,
15:04
secure, offline, airgapped backups.
15:07
That's your ultimate safety net. And you
15:09
have to test your plans regularly.
15:11
Simulate the crisis before it happens.
15:13
And remember, the threats aren't going
15:14
away. They just evolve. Whether it's
15:17
simple attacks hitting unpatched systems
15:19
or those really targeted spear fishing
15:21
campaigns SISO warned about, proactive,
15:24
tested planning is genuinely the
15:26
cornerstone of resilience. It's what
15:27
lets you survive.
15:28
And one last reminder for leaders
15:30
looking for the specific tools, the
15:32
partners, the services to build this
15:34
readiness from MFA to backups to
15:37
logging. Find solutions and providers at
15:39
our sponsor www.comarketplace.com.
15:43
Okay, final thought to leave you with
15:45
something provocative.
15:47
The data suggests the average time an
15:49
attacker stays hidden inside a network
15:51
before being detected is around 181
15:54
days.
15:54
6 months.
15:55
6 months. And then the average time to
15:57
actually contain and clean up the mess
15:59
is another 60 days.
16:00
Two more months,
16:01
right? So ask yourself this. If you
16:03
found out today that you were
16:04
compromised 6 months ago, how would your
16:07
organization actually function if you
16:08
lost all your main digital systems for
16:10
the next two months? That massive gap,
16:13
the hidden compromise plus the lengthy
16:15
cleanup,
16:16
that's where all this preparedness truly
16:18
proves its worth. That's the gap you're
16:20
trying to survive.
#Business Operations
#Computer Security
#Network Security