Not Just IT’s Problem: Why Cyber Resilience Is Everyone’s Job - A conversation with Marcel Baschisada

Introduction to Crisis Planning

0:00You can have an incident response plan, you can have the BCP, you can have the disaster recovery plan. But can you act according to this plan? This is the real question.

0:23Hello, everybody. This is Belen Santaolalla from Conductor Crisis Exercise Platform. You're listening to the Crisis the Sirenet podcast, where we share tips, thoughts and concepts to help you create impactful crisis exercises.

Guest Introduction

0:45Today, I'm joined by Marcel Bashi-Sara from Kudelsky Security, whose career journey took him from the big four world of IT audit and risk management into the field of cyber resilience. After years of assessing organizations against industry standards, Marcel saw a common gap. Policies often looked great on paper, but only a small group truly understood them. In a real cyber crisis, the whole organization needs to act, not just IT.

1:16Now, he designs realistic industry-specific crisis simulations, especially for healthcare and pharma, aligning leadership, legal operations and communication teams to respond effectively when the stakes are highest. Marcel, welcome to the Crisis Designer podcast. How are you today? I'm fine. Thank you, Belen. Thank you for having me. I'm excited for this podcast and, yeah, great to be here. Fantastic. Well, let's start from the beginning.

Helping Clients

1:47How would you say that you exactly helped your clients?

1:52Yeah, so our goal is to reduce the impact of a crisis, especially a cyber crisis, because just for the listeners, we are a cybersecurity company. And we have our SOC, we have our incident response team, we have our cyber threat intelligence. That's what makes us so unique that we are just focused on cyber. And my team and my colleagues, we are especially focused on incident response and crisis simulations, also focused on GRC topics, regulations.

2:31A lot of regulations require now a tabletop exercise or a crisis simulation. And that's why we come in, we're going to facilitate the exercise, help them with the incident response plans, with the BCP plans, just in general, to make them so resilient that either an attack cannot happen or when the attack happens, that we're prepared to reduce the impact to a minimum. And this is our goal. This is what we're passionate about.

3:02And, yeah, that's how we try to help the industry. Okay. So you kind of already tackled this, but how would you say that is, why is your work important? I think our work is important because we are so specialized in cybersecurity and focused on it. And techers do the same, right? They don't wait and just be on the same level. They will improve. And we have ransomware as a service. We have AI phishing campaigns. We have different AI-based methods to attack a company.

3:38And just the threat level evolves over time. And I think like LinkedIn and all the reports, they just sometimes they over-dramatize it. But it's true. Like the attack has evolved, the attack surface is there, not just for IT environments, also for operational technology environments, for manufacturers, et cetera. I mean, you said in the intro for pharma and healthcare, but we also do a lot for other industries, especially also for OT, where in the past, they were basically closed factory and no one had access to it.

4:16But now with the synergy or like the connection from OT to IT, we have a different attack surface. And in combination with the evolving threats and evolving actors, it is really important to be focused on cybersecurity, especially, and to raise awareness through these exercises to show them how an attack can happen. And that's why it's so important. And that's why it's so important to always have to test yourself, okay, am I facing these real-world threats right now?

4:54Am I protecting my company? Am I protecting the assets which are important to our company? Can I protect operational downtime? Can I face a ransomware attack? Et cetera, et cetera, et cetera. That's why it's so important to be focused on these kind of topics.

Career Transition

5:14Got it. And how did you end up moving from IT audit into cyber resilience?

5:21Yeah, so as you said, I was a long time in IT audit. Basically, part of the financial statement audit is also the IT component. And I was doing this for five years. And then also two years, like gap assessments for NIST, for ISO 27001. All these regulations, which are really important in terms of information security.

5:53But I realized like some companies, they're just focused on these compliance regulations rather than real security. And yeah, so for example, you can fulfill the control. You can have an incident response plan. You can have the BCP. You can have the disaster recovery plan. But can you act according to this plan? This is the real question. And also a cyber incident, a critical cyber incident, it's not a cyber problem.

6:26It's a business problem and can really fast escalate into this. And then there's the question, does your lawyer know about your incident response plan? Or did he ever interact with your cybersecurity incident response team? Is your senior management aware of the threats your IT landscape has? Or can you translate to the board? We need to isolate this location. And that means we cannot work for a certain period of time until we fix this.

6:58And these are all questions which you cannot answer through just having a control matrix or having these plans in place. These are things you need to face. You need to train. You need to create a muscle memory for these kind of incidents. And you cannot act in silos. And that's why it's so important to facilitate these tabletop exercises or cry simulations at least once a year.

7:30Or if you cannot, then maybe every two years. But you have to have a process in place. And that's why also a lot of regulations require this more and more. I love that. That is not about having a plan. It's about knowing if you can act on it, right? It's really, really interesting. You've seen that gap so often.

Biggest Risks in Sectors

7:51So from the crisis management perspective, what would you say are the biggest risks in the sectors you're working with? The biggest risks? The biggest risks for the sectors I work with. So I also work with a lot of OT environments and a lot of manufacturers. And for them, the biggest risk is, of course, operational downtime. So if their manufacturer cannot produce or their machines cannot work, then they don't make any money. Or not only this, their reputation to deliver what they agreed to on the contract, they cannot fulfill this.

8:29And this is the biggest risk on OT side. And the other risk, of course, is like what you always talk about, being your data is completely encrypted and it cannot work anymore. You cannot send out invoices. You cannot access to your systems. And of course, this is then the case of ransomware attacks, these kind of scenarios, which is like one of the biggest risks for a lot of companies out there.

9:05Okay, I've been having a look at your LinkedIn profile that I recommend all the listeners to connect with you. And you normally talk there about the limits of generic exercising. Why do you think these kind of exercises fail? It's a really good question because we also facilitated a lot of generic exercises where we had budget constraints and the client just wanted to have a first baseline assessment.

9:44And we did this. And sometimes, like some exercises, I feel like we're asking these generic questions in the beginning and we just receive generic answers. So, like, what happens, yeah, if you have a ransomware attack, this will be a really generic, really high level, yeah, would just generate the question, yeah, we would do this, this, this, and this. And we would isolate this server if it would be affected, et cetera.

10:17But if we really go down and first assess what are your crown jewels and what is your most critical assets you have in your company. And then from there, we also take the information of threat actors, how they behave, how they act. As I said, we have a cyber threat intelligence department in our company, so we can ask them, hey, what would be a threat actor in this industry or what, how would they act, how would they attack this company?

10:51And then we can simulate an attack, which is highly realistic and detailed, because once it's detailed, you can generate responses which reflect the reality. So, I say, this user, this asset, this server is down, this is encrypted, what are you going to do now? You have manual workarounds, do you have backups, where do you have the backups, can you restore them? What if the backups are infected and where did you store the backups? Who has access to the backups?

11:23Who can change the backups? Is there like a user in your company when he gets infected or he gets compromised that it will be a complete disaster and can have lateral movement to the AD domain? Is this a possibility? And if yes, then let's try to create a scenario to make it the worst case scenario. So, we prepare you for the worst case scenario and on the way to the worst case scenario, you fix this, this and this, low-hanging fruits, and you will be more prepared, more resilient in the future.

12:02Nice. And how do you decide what's the worst case scenario? I mean, how do you decide what scenario to create? How do you tackle that? Yeah, that's a good question. So, we should look at the business. How do they generate money? How are, what are they known for?

12:26So, and then along this way, we can pretty quickly, together with our counterpart, which is most of the time, the CISO, the head of cybersecurity, identify the most critical parts of the business. And then together with our counterpart, head of cyber, head of IT, then have a detailed scenario, which tests the worst case or the most realistic case.

12:59And that's how we scan the threat landscape. We ask our colleagues, etc. We ask our colleagues, etc. We ask our colleagues, etc. etc. We get the most up-to-date information. We talk to our counterpart in the company. And based on this information, we then draft, also with our experience, the most realistic, the worst case scenario, if that's what also the client wants.

13:33Yes. Got it. And once you have decided what you want to do and you put it together, what are the ingredients, what do you think that makes a good exercise, especially in high stakes industries? Good question. We try to split the teams a bit and then let them come together and work as a real crisis team. So what I mean with this is we try to create injects for the cybersecurity incident response team, for the incident responders on their site.

14:09And also we create injects for the senior management or the communication department and for the legal department. So we would have a lot of components, teams come together and responding basically to the same crisis. And we need also, as I said in the beginning, it's a business crisis. A cyber incident can result in a business crisis. And we need also all the inputs. We need from legal side the input on how to deal with ransomware or like a ransom note.

14:45We need communication to initiate the right communication internally, externally to the to the regulatory bodies and and etc. We need the senior management to make the decision because the decision has to be coming from the senior management. And and we let the teams work on that and let them come together into the war room and say, hey, the IT team says we need to isolate this location.

15:16For example, this would result into an operational downtime and would cost us this X, Y money. And the senior management says, is there any way around it? And or like, what can we do? Or what are the possibilities? And the possibility is like to let the malware run and also risk something else. Let's say ID compromise, which would be worst, worst case or isolate now and have the have the operational downtime, which results in X, Y money.

15:50So senior management needs to do this decision as well as let's say in a ransomware scenario, the decision of do we pay ransom or not? A lot of people advise to not pay ransom, but we've seen and recent cases and the history of ransomware attacks that a lot of times they pay the ransom because different decisions, they couldn't work anymore. They couldn't they if they if they if they didn't pay, everything was encrypted. They were under so much pressure that they really had to pay.

16:24And did they even define these thresholds and these kind of ideas or like this kind of thinking is just coming within the within the scenario. And all the teams are working on their on their part and then they come together and make it make a response decision. And that's what really also is exciting for us to see that working. If they have also their pay books and response plan in place, which helps them to get through them or they have nothing and they just trying to what trying to.

16:57Hey, what should we do? This would also it's also like really good for them because they learn and they train real cyber security, real cyber resilience.

Designing Realistic Exercises

17:14Do you have any best practices for designing realistic exercises? Yeah, exactly. So once we have the storyboard in place and we agreed with the client on the on the scenario, we go ahead and conduct that and build like the different injects. And also we use all the different ways on on these channels like we use video, we use the calls, we can create a help desk to create create tickets.

17:44We can use the pattern of live function to create these tickets like on a on a yeah, like 10 second base. So the injects or like the tickets come in within 10 seconds, each 10 seconds there, there's a new ticket coming in just to simulate the pressure of the insulin response team and to see how it is in real life. And this allows us to really create an environment which is really close to reality and lets them practice.

18:23And when the real case comes, then they are prepared to respond. And there's a reduced downtime, etc. And what's also like really good with the two conductor is that we can have like dynamic outcomes. So once you have the decision and there will be like different outcomes once you like isolate the location or you pay the ransom or you don't pay the ransom. So we will have different continuations of the scenario once you decide X or Y.

18:57And this is like really interesting to for us and also to show them the reality and like in a debrief to say like if you would have done this or like if you wouldn't have isolated, this would happen. And then we cover a lot of possibilities and also in a debrief session, we can get the most out of this scenario. Gotcha. So it branches based on the decision. So you can have them experience the different consequences of their decisions.

19:30I think that's a really cool way of learning and really seeing the impact of what you're doing. And do you facilitate the scenarios that you design? How do you keep participants engaged through the duration of the exercise? Yes, I do facilitate and we try to have like a short introduction. We're going to explain to, as I said, like there are lawyers within there, like communication experts within the crisis. So we first like try to explain what this is about or like what is the tabletop exercise?

20:06What is the crisis simulation, et cetera? And then we go ahead and start the scenario. And it depends on the maturity of the client. Some have like really high maturity and they know exactly what to do. They did crisis simulation once a year or twice a year and they did the first crisis simulation. So we need to help them sometimes or like step in and say like guide them a little bit into the right direction. And as I said, like through all of these injects and these different channels, they are highly engaged because like the videos, like let's say a news report, they see their company and the news and then they're like, oh, oh, wow.

20:48This can happen. Yes, it can happen. And that's why everyone is like highly engaged through these different kinds of medias. And yeah, and depending on the client, we try also to guide them or just leave them be. Leave them be in the crisis. Yeah, leave them in the crisis. Sometimes it's also like a good way to learn. Yeah, exactly.

21:18Good. And do you do some after action review? How do you ensure that the lessons learned are turned into change? So, as I said, we facilitate only cyber crisis simulations and we use reporting based on this. So we will have the different domains, govern, identify, protect, detect, respond, recover. And in these different domains, we try to give you a benchmark on your cyber resilience.

21:51And how we do it is basically before we start with the scenario, we create a question catalog. And we're going to map this to the different domains of NIST. And yeah, based on the scenario, we will have a question catalog. And then in this scenario, we will say, okay, they did this, but I didn't do this. And because we mapped it before to the NIST domains, we will have a clear graph on your benchmark on how you, how cyber resilient you are based on this.

22:24Based on ISO, we can have this for different regulations. And then you can also compare with your group and you have different business units. This business unit is really mature. They don't have any problems. They are resilient and they don't need any more resources or like another one is less mature. They don't have an incident response plan. They really need help with responding to an incident, et cetera. And then we can also see them improving over time.

22:57For example, you have a less mature resilient status right now, but let's say in two or three years, we see the improvements. Or if you didn't improve, then we say like, okay, this were our recommendations. Did you have any challenges implementing those or is there something else? And we can react to it and also the board and the order group and this kind of settings, they will, they will, can react to it and they can have an overview.

23:27Right. Got it. And tell us a little bit about the most challenging scenario that you had to put together. Like most challenging scenario. I would say once we did like a full day crisis simulation and we had a lot of teams involved, as I said, like legal team, communication team, the senior management was involved and the incident response team.

24:01So we had to create injects for all of them and to make it highly engaging and also realistic so they can train and improve their documentation and their resilience. And it was, it was also a lot to learn from our side that let's say you have a, you think like it's a simple decision to decide to pay the ransom or not to pay the ransom. Like saying, okay.

24:32And if you are creating like these kinds of realistic scenarios, then you have to go into it. Uh, let's say, let's take the example, uh, paying ransom or not. Do you have, uh, someone who negotiates for you? Do you have, uh, uh, communication with the police enforcement? Do you have communication with regulatory bodies? Do you communicate with them? And, uh, what if the attacker reaches out to you and, uh, can you pay, for example, can you create a wallet, uh, within days if you don't have a cryptocurrency wallet?

25:08Like, and can you pass all of the, uh, yeah, know your customer and, uh, anti money laundering controls they have in place so you can pay, uh, within the deadline. Um, how do you decide to trust the threat actor? Do you have threat intelligence? They can say, okay, this threat actor, they will likely give you the, the good, the, the encryption key. Um, like it's not an easy decision. And, uh, like a lot of, let's say the police says, uh, you, you're not allowed to pay ransom, uh, but your company cannot work without the encryption key.

25:46So as a senior management, you're like in a really, really, uh, uh, uh, difficult, uh, situation. And it's not just like generically saying, are you paying or not? And they say, yeah, we'll pay, but this is not reflecting the reality. Reality is a way complex for a simple decision. And you need to take the consultation of your lawyer. You have to take the, you have to, yeah, from your cyber threat intelligence, et cetera, to make the decision.

26:19Wow. I really like how you just explain how like a little decision, all the ramifications that make something realistic. It's not as simple as a yes or no question, uh, in a quiz is something so much deeper than that with so many ramifications that you have to take into account. And that you can only know if you've been there and you have like subject matter experts as yourselves, um, putting together a scenario to get ready for this. Nice. Okay. This is the last question then. I really like to, to end, uh, the, all the episodes with this question.

26:51Um, what advice would you give, uh, your younger self starting in this field? I mean, uh, I would say as a really exciting and, um, and, uh, don't forget to have fun. Like, um, because, uh, it is, uh, uh, like to see all of these different threat actors, how they, um, create, um, create, uh, attack methods. And, um, it's really exciting.

27:22And at the same time, you're doing something to, to face these, uh, people. Like, uh, let's say, uh, yeah, on the, on the, on one hand, you have the attacker, which like evolves with AI when someone has a service, et cetera. And the other hand, you have like companies, which are not aware of it. And then you can come in as the internet police and, uh, help them, uh, or like, uh, uh, had to train like a personal coach. And it's a really exciting journey and we improve every day and we always learn, uh, every day.

27:53And just, uh, would say like, keep on learning, keep on, keep on, uh, being exciting about it and, uh, keep on being passionate about it. And then you will, uh, draft the most realistic scenarios, which result into better resilience and, uh, better protection for, uh, companies. Yeah. Well, fantastic. Marcel, thank you very much for sharing all your knowledge and expertise with us. It's been a really interesting, uh, time, uh, to get to know what you do at Kudelsky and, and all the, all what's behind, um,

28:30um, a cyber crisis and how to, uh, prepare for it. So thank you very much, Marcel. Thank you for having me and have a nice day.