What Would Hurt You The Most? Designing Cyber Scenarios That Matter - A conversation with Marc Avery

Introduction to Crisis Management

0:00our exercises go straight to that business impact what would hurt you the most what keeps you up at night if this happened how would this impact your business hello everyone this is Belen Santaolalla from Conductor Crisis Exercise Platform and you're listening to the Crisis Designer Podcast

0:32the show where we share tips ideas and practical insights to help you design impactful crisis management exercises so if you're working crisis leadership business continuity reputational risk cyber security or immersive simulation design this podcast is for you

Guest Introduction

0:57today we're joined by Mark Avery CISO and managing partner at Cyber Chain Alliance whose career has been defined by leading security transformation across high stakes private and public critical infrastructure Mark has spent decades shaping resilient programs strengthening security culture and protecting essential services he's now focused on building an organization that delivers meaningful value for clients real opportunity for his team and positive contribution to the community

1:31Mark welcome to the Crisis Designer Podcast how are you today? Thank you very much great to be here

Cyber Security Work

1:36yeah no thank you very much great let's get started so how do you exactly help your clients today as CISO and managing partner? Absolutely thank you so when I started Cyber Chain Alliance in around about 2019 um I had a passion for ensuring that um learning and and and and learning from the foundational aspects of cyber security was something that uh stuck and and actually made a positive difference um for many many years maybe almost 30 years ago

2:12um I recall um I recall talking about things like patching systems and making sure that networks were segmented etc etc etc and we're still talking about those things kind of 25 years later and so it's clear to some degree not not always it's clear to some degree that some of those foundational aspects of cyber security are are are still not quite there and there are lots of different reasons for that um but one of the main missions of of Cyber Chain Alliance is to improve value and reduce cost and the way in which we do that

2:46is that we work very much at the people level to ensure that people have understood what a security policy is why there are rules in place around what you can or can't do why you need to design systems securely and why you need to operate them securely if people don't understand the why then there's a there's a we we struggle to actually implement those foundations so the human aspect of cyber security is and always has been the most important uh thing and so

3:16at Cyber Chain Alliance we're very much a people-focused business and uh that goes through every one of the services that uh that we provide

Importance of Securing Infrastructure

3:26awesome and and why would you say that your work in securing critical infrastructure or transforming security culture is so important i believe that we will always be on the back foot um our world in cyber security is slightly different from natural disaster and environmental uh and economic and political challenges um we are facing an attacker criminal organized crime nation state threats who are determined

3:57to attack and steal and disrupt and and so for that reason it is very much a cat and mouse game and and it's just natural that uh even if you think about people who steal cars or break into houses they will always be thinking ahead of you and and so that's just the world in which we live so in order to ensure that we are able to defend ourselves we have to improve we have to build those foundations and uh and we have to make sure that we're thinking about our attacker as much as they're

4:31thinking about us yeah that's a good point um but how did you end up in this line of work how did you first get into cyber security um i had just returned from uh a holiday and i i i i did not have a job in mind um i was i was djing quite a lot at the time so i just thought i was going to be this kind of world famous dj and then uh obviously that was never going to happen and uh and so i i managed to get a job through my my mother um who was working at jaguar land rover

5:08wow back in the day so that that tends to raise a few more eyebrows uh since march of this year than it previously used to but that was my first role and uh yeah i started working in telecommunications networks looking after the the the jaguar network and then moving on so telecommunications and technical security was my thing for many many years and then slowly kind of moved into more information security management and uh managerial roles and then ultimately my last full-time role

5:39was the chief information security officer for the smart metering implementation here in the uk so so all of that career um you can imagine it i saw a lot of technical issues and technical challenges and i still see those today and i also see the people in the managerial side and the leadership side as well one of the most striking things for me is is that um there needs to be a top down and a bottom up approach to cyber security because if you don't have that support from uh from the board level um which is a very easy thing to say um but it's extremely difficult to get boards to take an interest

6:18in cyber security because we're not the only issue in town all right the the shareholders need to make money uh the the executives need to make sure that they keep their jobs etc right so so there's lots of differing priorities and and cyber security not special in that sense it's just another another threat a significant one a significant one of course but it's just something else that that leaders have to think about so adopting that leadership mindset understanding the business is something that we try to do uh literally every day gotcha okay um how do you approach then uh getting

Preparing Exercises and Training

6:55teams ready for this sort of scenarios uh how do you uh prepare exercises or training for security and crisis response sure so so the first thing to say is that we are a national cyber security center certified sorry assured service provider uh what that means for uh our company and the other almost 50 companies now here in the uk that that have that accreditation is that we have to follow a standard so some things are just just given we we have to do certain things in order to follow

7:28that standard we have master event lists and we have requirements for um both live play and tabletop exercises so we have to determine exactly what type of approach and scenario we're delivering and how we're delivering it so that's that's the foundation really and and and from that we can then start to think about the customer so with any of our work crisis exercising or otherwise um we take a lot of pride in making sure that we've customized something very very occasionally do we just try and repeat

8:01something for for another customer because they're almost exactly the same because they very very rarely are not exactly the same different sectors different sizes different shapes um etc so so all of our work being customized one of the first conversations we have around incident exercises is what are their objectives what are the audience and and what are you really not just objectives on paper but what do you want the next step to be what do you want to happen after this and here in the uk and the the uk government has uh required uh all of its government departments and arm length arms length bodies

8:38to do at least one cyber incident exercise each year and that's okay that's a good thing that's a positive thing in the right direction but if those government bodies are just there to tick a box and say yes we've done it they're not going to get the value out of it and to be brutally honest we we we don't say no but we would discourage any organization that came to us and said look i just need to meet this compliance requirement it's like okay really okay that's fine but we are definitely going to give you some value as well so let's talk about it so um yeah we don't like just to go in there and not achieve

9:12any uh any outcome so so it always starts at that level really what are the outcomes that you're trying to look for and and who do you want to uh be involved in the in the crisis simulation and that then kind of starts to leading to the to the next phase for us which is literally storytelling okay so we take a lot of pride in making sure that there's a cohesive story and i don't just mean about you know user clicks on phishing email uh laptop gets compromised then the hr system gets compromised and

9:45attacker steals data that's quite common and easy thing to come up i'm talking about the business understanding the story around the business and what would actually happen should that incident occur um and that's why we we look at different audiences you can have a very confined conversation um with a technical team because they're supposed to do x y and z that should be relatively well scripted um but as soon as you start getting into the crisis management team with senior management

10:17from across the business and then the the board level the the focus changes so we always consider to which audience that we're we're delivering that so that starts to shape it what i always say at the start of any exercise i will probably come on to talk about exactly how we deliver them but um the outcome for me is that somebody's heart is beating faster or they've got sweaty palms because having received that phone call or email from somebody um but you know fairly recently a a customer called us up um sorry not a

10:53customer they were a prospect and we had a phone call from from this lady it was a friday morning around about the same time and she was in tears she could hardly speak because her small business had just been compromised by an attacker and it's that my heart my heart is beating when i'm telling you this story now and the emotion that that brings because this lady it's her pride and joy she spent so much time building the business a very successful business well invested supporting many uh retailers

11:25here in the uk and uh and she just might i do not know what to do and i think that's possibly where cyber security is slightly different because it's a little bit hidden it's like what do i do you know i've done everything that i need me to do mark but you're you know i still have this uh this attack so um people do feel helpless when they are in that situation so i'm not trying to force that that on people i wouldn't wish that on on anybody but that's the type of thing that happens in reality

11:58and when you're under that pressure you have that emotion you react very differently so the storytelling and making sure that we can create that narrative and get as close to that emotion as possible increases the chance that people will remember it and hence learn from it

Storytelling in Training

12:15how how do you um decide you're you're having this approach uh but how do you decide on the specifics on how that storytelling is going to unfold uh what um personas you're going to include or what's the topic or the scenario itself how do you approach that so so we we typically take as i say it we take it for granted that there will be some kind of cyber attack and we can we can play with different types of

12:49things it can be a some kind of denial of service attack where the the e-commerce website is unavailable for customers to make orders or it can be a phishing uh attack which then leads to other things and that's all a little bit of a given we don't we don't worry too much about that we we do make sure that it works and it's realistic but the first thing that we go to is well what's the line of business for uh the organization so if you sell your products on a on a website then that that website is is the most important thing to you if you're a business to business customer and you rely upon

13:24transactions across the internet you know your connectivity and your web services is is critical and then there are other customers that we have where they are retail companies so the logistics around getting stock to warehouses monitoring that stock getting it to fulfill the orders that come through either online or face-to-face at at shop counters and things like that is is where we tend to go because that's where the business impact is you know you imagine a wholesale organization on a

13:56saturday morning they don't have any credit card machines they can't process an order they can't print receipts customers are queuing at the door you know demanding because they need to do their diy or whatever it is on a saturday morning and and that increases the pressure on the individuals that just say i can't help you you know all those frustrations and and that's the thing that really hurts the businesses as well um it's not just a cyber issue it's the impact on the physical aspects of the business so um so we very much go to that and uh this is where there's a there's an immediate

14:31alignment with business continuity and disaster recovery in the traditional sense that we've all become to to to know it the the one thing that we always come back to in cyber security is exactly the same thing that our counterparts in business continuity and disaster recovery also root their their their cause in and that is business impact assessment both cyber security professionals and business continuity professionals have this thing called business impact assessment

15:04it's the heart of everything because that's the thing where you assess the need to spend a single penny or a pound or millions of pounds protecting your business because it is purely related to the potential impact of loss or compromise of the data or systems um in which uh you're relying you're relying upon to deliver your line of business so so our exercises go straight to that business impact what would hurt you the most what keeps you up at night if this happened how would this impact

15:39your business and so um very often we're cruel and we will go for the worst case scenario you know and why wouldn't of course of course we would right so so and i always also tell people that it's it's a little bit of fun it's a little bit of theater um the learning outcome is still there but you don't have to you don't have to take it too seriously so yes we always go for the worst case scenario sometimes we get told off um yeah yeah um but all in all in uh all in good jest

16:09nice yeah i mean there's a lot of um creativity in all of this i guess now you're coming from a creative background you're a dj you're talking about storytelling theater so it it it takes a lot to build an exercise that has all these elements um what would you say are the the most uh important ingredients to generate all that uh emotion in the training audience i think i think it's the the

16:40planning and the personal nature of it so um a good example is if you're talking to a technical team they know that they've got you know bits and bytes in their head they know they need to log on to that system to go and investigate and then they need to go into that system it could be this it could be that it's all very binary and transactional um and then some of the most important ingredients are the so what the answer to the so what question that's all very well you're doing that at the technical level but how does it impact you and how does it impact um how does it impact your your

17:15business as a whole there is there's a definite personal impact to all of this and and we do bring that in it's it's no mistake or accident that um the majority of cyber attacks happen on a friday afternoon because we're breaking up for the weekend bank holidays are even better okay um and you know i've i've had to face several uh attacks i think it's back in 2017 there was a big attack here in the uk called wanna cry that impact the nhs and our ability to you know service uh patients uh in hospitals

17:50um and i was fortunate or unfortunate enough to be one of the first in the uk that heard about that mainly because one of our suppliers um a company that was headquartered in madrid had seen the symptoms of this attack first before anybody in the uk had seen it so um so so we got the phone call and we we took corrective action um but i but i i think it's the personal impact that's really really important so if you uh pitch a scenario that kind of starts on a friday afternoon and then you know maybe you've had a rough friday night you've spent

18:25lots of time the technical teams have been investigating on a friday evening saturday morning comes people have personal lives people want to go and see their family people want to go to the football etc etc they've got plans and so you're disrupting those plans um there was one there was one exercise that we did and these this was one of those moments that we did draw out some emotion we we spoke a little bit about the cyber attacker or attackers gaining access to personal information of

18:57the ceo uh home address um children's names uh wife's name and this is all open source information uh as you may imagine uh if you went onto the dark web to look yourself up you would probably find a lot of information about yourself and attackers absolutely use this they they have got no morals or ethics um you know we we have to take some control and accountability for for hair fall we push the exercises but attackers don't so when we when we brought this into the scenario and uh we we showed

19:32the information on screen that the ceo uh uh was was aware of we progressed with the incident for another 10 or 15 minutes and the ceo but he sat on the table said sorry can we just rewind for 10 minutes i've just been thinking about something completely different he'd been thinking about his family about the impact of this information in his view being exposed and stolen by the attackers and you could clearly see well what would happen next what do i need to do um you know do i need to take action to to protect my family and and that's an example of of how those are some of the

20:07ingredients that i think are really important to extract the emotion to make it real and to to make people realize that this is not just uh an innocent threat these things are actually happening and we know that as cyber security professionals but one of the biggest challenges that we ever have as as professionals is communicating this risk and the potential impact to those that hold the budgets and want to invest in their organization to protect it we can talk you know it's a it's a

20:38language thing it's a communication thing there's no point in saying we've got a thousand critical vulnerabilities on our systems and that's easy for an attacker to well just go a little bit deeper explain it in the language of somebody that you need to get some investment from and so it's storytelling and emotions and these kind of ingredients that help achieve that and it it shouldn't be this difficult i know it sounds difficult but it shouldn't be this difficult we we we believe that cyber security is the most important thing in the world but as i said before

21:09the the board members don't you know so so so how do you get them to think about and and realize the potential impact on on on their business that's so scary and it has to be because that's i think that's what you just described is like you think about the threat uh as something abstract difficult to grasp and that's why you do this bespoke exercises because you then you say so this translates into your family's address and your

21:43family members names being in the dark web and they're going to be used like that and then it makes it tangible it makes it real it you can see what cyber threats are and what that means for you and for your for your business that's that's incredible um so when you're building uh when your

Building Exercises

22:01team is putting together uh an exercise um how do you work on uh to to make that story tangible do you have to decide characters personas um beats for the story acts uh in them in the mail you're deciding deciding the injects do you have any way of approaching this world building yes absolutely so so typically what we will do with a with a client is that we will request uh that a small team within the organization is a we consult with them so so we ask for those types of personas the technical

22:38scenario needs to be realistic the business impact needs to be realistic so we we bring people into our exercise from our clients so we don't just do this blind uh with them so so they're aware of the the scenario that they they input into the scenario they're actually the people that can tell us what the worst case impact will be we can't guess that so so there's a small team that we work uh with so we create a wider team we spend a fair amount of time preparing for it we will review their existing

23:10documentation their existing protocols their taxonomy how do they talk about cyber security attacks within their organization because we have to mimic that we have to create the scenario around that so so all that preparation is in place the scenario is built out the timings of the scenario are absolutely critical to that story and the and the the outcome that we deliver and the reason i say that is because cyber attacks don't actually occur within a matter of hours like i don't know like a

23:41fire or a flood you can kind of you know it's a fairly short-lived thing cyber attack could have been going on for months right so so um we have to be really conscious of you know we've only got like three hours in in a room with people basically so we've got to be really careful about the the end to end timeline and making sure it's it's it's realistic so so we work together with the teams we identify those personas we've got names and roles that are given to us and we craft the scenario so we

24:15know at some point for example the comms team need to get involved and maybe they'll need to engage with their pr agency um maybe they'll need to decide that somebody needs to go and make a public statement maybe the ceo or the ceo and so all those personas are absolutely built into the story and the main reason for that again just to reiterate this just doesn't doesn't this just does not impact the technical team this is not an it problem this is a business problem and every single person in the

24:47business may be affected include not just the management team and the people responsible but the staff are the staff going to get paid in two days time because it's the end of the month yeah so so those personas do stretch out and then to the customers also the customers that are wanting to buy the services the suppliers to our clients and their companies you only have to look at jaggy rolandro over this year and it was not just the impact on on jlr it was the impact on the supply chain a significant impact on that on that supply chain and hence as taxpayers we have you know we have helped

25:23to support some of those organizations as well so the cyber attack generally can impact a number of different of first second third fourth parties and all of those personas are considered within our exercises what a wow that's so so rich and so interesting so when when you have your exercise ready um how do you make sure that the participants are coming to the room to spend those three hours

25:54with you how how much information do you give them beforehand and how you make sure that they are uh probably engaged to come and take active part absolutely it's really important i i was i was talking about this the other week and i i talked about the three p's and it's plan plan and plan you have to do a lot of planning um now on some occasions we've walked into uh boardrooms where we have anticipated a little bit of of pushback people are busy they've got jobs to do as human

26:28beings we like to fix problems and they're being almost told to come to a room for three hours i'm not going to tell you what it is it's something to do with cyber security and they're like i just want to carry on doing my job and you know and i get that right so there's a there's a little bit of that that we have to anticipate and and deal with um thus far even though we've anticipated and been aware of that uh potential challenge when we walk into boardrooms what i can guarantee and attest to is that um that uh that goes away very very quickly once people get into the exercise that is all

27:04all forgotten about but in an ideal scenario uh we've got board level support we've told the right people within the organization what to expect um we've given people enough information on some occasions we will give them a little bit more we'll almost give them the first step in the scenario so they can prepare i think it all depends on maturity as well i really talked about maturity but some organizations come to us and say oh can you just put my board in in in a room and talk to

27:35them about a cyber crisis and so we question what they've done prior to that and if they've done nothing they haven't really got security responsibilities and roles assigned in the organization they don't have an incident response plan or even thought about playbooks or whatever it is some of those fundamental things are in place then it's almost a waste of time to go and do an exercise with the board so we had a client come to us uh recently to to ask for something similar i said yes we'll do that for you at some point in six months time but you need to do these

28:08foundations we can certainly help them you know build those foundations but we we make sure that we deliver something that would deliver no value um so so so the preparation in advance contributes to that as well so if we can um if they are mature enough and they they they will digest a small bit of information in advance of the exercise then we'll feed them that information often it's about context settings like maybe you're working home today it's a friday um your ceo is on holiday

28:41um so you kind of set the scene more than anything else because sometimes that if you give that to people in advance by the time they walk into the boardroom they're in the mode they're ready they understand the scenario they you know in in some cases they'll they'll be the the ceo will be sat at the back of the room because we we sometimes keep them out of the way and it's very common for us because we like to keep our ceo friends happy we'll we'll we'll the ceo will initially play the role on a beach in barbados somewhere so yeah so they'll come into that room and they'll already be aware

29:16of where they are and what they should be doing nice okay um and who else is in the room i mean do you facilitate the scenarios and um once the scenario is over um do you segue into an after action review of some sort yeah absolutely so so uh it's very well structured and we have many options um available to us um sometimes there's a little bit of an external influence so depending upon the customer we can bring in non-executive directors who have got experience of previous cyber attacks so

29:52we can communicate at that level gives us a little bit more credibility not that we couldn't do it but sometimes you just need a little bit of external independent credibility as well uh we can bring in actors so an actor may play an important part within the the scenario um on several occasions we brought in a journalist and a camera crew so simulating an interview for three minutes on bbc news uh under

30:22the under the spotlight and uh you know the the journalists can be very awkward in their questioning sometime and and also a little bit of media training as well down to you're wearing the wrong color shirt to be on television you know little things like that right so we can go into all of those areas so all of that said that helps to shape the structure of of the scenario but typically will follow a timeline of you know friday afternoon and these technical things are happening you've lost access to your systems or users are reporting uh strange activity with laptops or whatever it might be

30:57um and then the way in which we structure it then is sometimes it will be testing so there are probably for the more mature organizations we can use platforms like conductor to almost test because it's so mature we're training people on if x then y you know so in accordance with their incident response plans and playbooks etc we know that we can craft a scenario using conductor to go at if this then this and you know you can assign tasks and make sure that if the uh the

31:33communications person needs to respond to a request to uh respond to an external media uh outlet uh then then we can set that as a task so so in one extreme we can script all of that and just stand back and and and watch it happen and facilitate and that can be done in the room it can be done in breakout rooms or it can be done completely remotely we tend to like a little bit of a hybrid as well so in some cases we'll we'll actually have a human being so one of my team who's at home or in the office they will make

32:08the phone call to the head of it or they'll make the phone call so so it's not necessarily coming through the uh the conductor platform in simulation it's actually a real person calling up or we'll have a live website that's that's on stream with you know um twitter feeds and things like that so so we try to break it up with real media um and and videos as well so some of our actors will pretend to be cyber attackers as well you know black hoodies the typical thing anonymous mask all that kind of stuff

32:41um so so we do a lot of that so uh given our ability to inject some of that stuff really depends on on on the style the nature and the outcomes of the exercise but back to your your question really some of it is about testing some of it is about uh teaching and learning so one of the roles that i will play in the exercise whilst my team are facilitating is watching people and and and interjecting if i think that they could be doing something else should they be doing more uh should

33:17they be doing more challenge around some of the things that are happening around the table or in the breakout sessions and i'll take them out the room and my practice director she will take them out of the room we'll we will have specific roles and specific people to coach um based upon what we've learnt and then we'll take them out and they'll come back in and they'll try something differently to get the best out of their team and to explore different uh assumptions and assumptions is one of those things that we see almost all of the time assumptions that somebody else is doing that job

33:47well no if you've not actually got around the table together uh and discussed that and made it really really clear then you've not tested those assumptions or validated them sorry so so that's really important so we will use that coaching ability as well in the room live to ensure that we get the most out of the exercise great that's really cool and can you tell us a little bit more about the most challenging scenario that you had worked on or you had to put together

34:17i do remember one scenario where again ppp plan plan plan right we had to go to a local shop to buy a 20 meter hdmi cable because we just assumed that the the client had got a big tv screen but what we didn't know is it was 20 meters away from where we need to be so anyway um that that that's a very minor issue i i think that the keeping people engaged is is is difficult and there's been a couple of occasions where when we request feedback at the end of the session um we'll get comments like

34:53i wasn't really engaged now that's that's not always our fault with in some occasions we're there to facilitate but we took that feedback to heart and what we do now is make sure that every single person that's in the room we understand their role and we understand the potential contribution that they can make so we can engage them so there has been occasions where it has been a challenge and and and people have just sat there um we may have had one person fall asleep i think i'm not sure nothing no no negative uh comments around my team and their delivery but it was just you know they

35:30weren't engaged properly and and and we take um we go to great lengths to get honest feedback and as a result of that we continue to improve so that happened on uh on a couple of occasions but i think that's the key thing with any kind of uh exercise um it's making sure that you've got somebody in play because if if they're not talking or contributing then they shouldn't be in the room in the first place yeah that's true that's a good point yes how how do you put the training audience

Putting the Audience at Center

35:58at the center so you understand who's going to be there and you craft something that is valuable and they can contribute to that's a really good point yeah right okay so this is the last question i always like to to wrap up with this question so um if you got the opportunity to talk to a younger version to yourself um what would you tell him what would you have liked to know earlier is this a career question yeah it could be that or personal whatever you feel um

36:30i think there's over my career there's been times where i've done roles that i didn't really enjoy if i'm honest um we go through phases in our life where we you know we have family and we have mortgages and and we have to earn money and then you know sometimes in your career you stop and you think that's not everything um what what i always kind of come back to is that you have to do something that you enjoy and you're passionate about and and you know i'm passionate about making a difference to

37:07um those organizations who don't know what to do from a cyber security perspective be that small to medium businesses charities etc i'm passionate about developing young people and people who are not currently in cyber security and bringing them in using those transferable skills to become a good cyber security person as well but i think it's about being honest as well i mean there are i'll be really honest that there are days when i wake up and i'm going oh my god it's this cyber security thing again i'm still talking about patching systems like almost 30 years

37:39later surely this isn't everything can i not just go and buy a pub and run a pub for the rest of my life right so i think it's important to have that balance and allow yourself to challenge what you're doing because you have to do something every day that's different and that that you enjoy what a fantastic way to wrap this up uh great learning and definitely you have to be passionate about what you do to really contribute and make a difference thank you very much mark it's been

38:14fantastic thank you you