At different phases of the attack other institutions were doing similar activities, and after months of analysis and the velocity and growth of the attacks, teams using the initial vision of the CI-DR program were able to create a predictive analysis when the attack might occur. Most conversations that were happening in business leadership were not the old similar technology mitigation discussions; the conversations quickly changed focus to discuss whether this attack would impact capital reserves, what other risks might be encountered during this unprecedented cyberattack, and what amount of financial transactions and revenue losses would online banking systems and internet-facing systems incur. As these conversations grew and expanded, our organization had a plan to have the accountants and business analysts review the systems and provide transactional and revenue estimations for eight, sixteen, and twenty-four hours to determine the amount of loss each critical system could incur. Much of this information was derived from work done by the risk management team during their Business Impact Analysis reviews, and the “crown jewels” asset risk assessments conducted by the information security and business technology teams. One of the most difficult assessments that the accountants had to deal with was figuring out potential revenue loss and the number of hours it would take to lose it. This process that was incorporated after the attacks subsided is the original iteration of what is commonly called today a fusion center. A CI-DR fusion center can exist when bringing business owners, accountants, technologists, risk managers, cyber intelligence analysts, and cybersecurity personnel together to solve an organizational problem.
Having generated all available intelligence through the fusion of stakeholders, combined with our analysis of all data brought from the fusion teams, a decision model was presented to the Board of Directors for their agreement that we were doing the right thing. That “knowledge” package painted key cyber intelligence decision points and pinpointed that the organization would be attacked somewhere around January 7 at 14:00, and that the financial loss would be over a million dollars for eight hours of outage time. Additionally, the decision points included mitigation technologies the organization could deploy to remediate the attack and the cost comparison against the impact of loss. The cost-benefit decision weighed with risk options provided two courses of recommended actions. The decision points were to either allow our systems to be overwhelmed and let the attackers think they took us offline, or implement this new unproven Anti-DDoS scrubbing technology, which could still potentially lose some real transactions with an additional cost for ineffective technology. With agreement that executive management had the situation well understood, the decision was made to allow the attackers to shut down our online banking platform and allow it to be unavailable during our anticipated 14:00 to 17:00 outage.
To add additional scrutiny and anxiety for the executives, these plans had to be presented to the US Treasury and our financial regulators, which gave the executive team concern that we would be placed under supervisory letters if our decisions were steadfast. The cyber intelligence analysis from months of attack data was also provided to the Treasury and Regulators so they too could understand that the attackers usually turned off their attacks at 17:00 and that our exposure and loss rate was consistent with our risk models. It was the first time the organization's executives and management felt like they were making cybersecurity decisions and this grew my cyber intelligence program by leaps and bounds. Our intelligence estimates were off by thirty minutes, and we were back online transacting by 17:15 the same day. As the attacks were not subsiding through the spring of that year, the executive team, armed with the information from the collaborative efforts of the fusion team and the cyber intelligence analysis, made the decision to purchase the technology and reduce the financial losses even further. That organization is still using that same approach to mitigating other risks and how they purchase technology today as part of their risk management strategy. By leveraging this proven CI-DR framework it will enhance your cyber program from a pure technology thought to an operational risk program.
Figure I.1 shows how the CI-DR framework is designed and organized to address and provide reporting to directors and executives, to the risk officers and auditors, and of course to the leadership of the technology and cybersecurity functions within the company. The reporting to the directors and executives mostly covers the areas of what the cyber program is doing to enhance or contribute to how the organization governs and responds to risk. In many organizations the business objectives drive how the organization handles risk and are key to how the CI-DR framework ties its goals and missions to assisting the business in meeting those objectives. Committees are another area where the CI-DR program provides analysis and input for reporting. As we mentioned, consequences of loss are listed in the International Standards Organization's Risk Management standard and that taxonomy can be used to provide a one-to-many or many-to-many from CI-DR capabilities and functions to a risk mitigation process, technology, or exposure. Risk management and compliance professionals are businesspeople, and they need to have technologists speak a common language to help them also protect the organization against risk. The CI-DR also provides for compliance, internal auditors, and technology leadership with the ability to report on the maturity and performance of the functions and capabilities. Maturity reporting within the CI-DR framework gives the various organizations using this framework the confidence to not have to compare themselves to others, to determine their needs based on size and budget and skills available in the area, as well as providing the overall understanding that cybersecurity is an operational risk that can be understood by non-technologists.
FIGURE I.1 CI-DR's business value.
We are positive that after reading this body of work the reader could confidently address the committees, the boards, and the executives when they ask about how the organization is governing its cyber risks. We know this framework has been able to address questions from regulators about the processes and the strategy for identifying, containing, and mitigating emergent cyber threats. Finally, if you are a director and an officer of a company implementing a CI-DR, the framework provides the formalization necessary to show that the organization's risk response and process and the directors and officers have done their due care to protect the company.
NOTES
During a cyber incident is not the time to prepare your actions. Preparations are necessary; just as you prepare for financial loss, cyber incidents impact both operations and financial losses.
Cybersecurity decisions with CI-DR “knowledge” become sophisticated business decisions.
When cybersecurity leaders speak of business risks coupled with cyber intelligence analysis, any leader can make informed decisions.
Any cyberattack can be thought of using deprived values and costs, which makes it an operational risk, which is ultimately a business risk. In this case, it was potential market risks, credit risks, and liquidity risks that could be lost due to operational loss. The organization wanted to keep our AA rating, and it didn't want to have customers leave to go to other institutions for banking, and it certainly did not want to take a substantial financial loss from either revenue, fines, or litigation.
A CI-DR program can have massive impacts and outcomes, as it is built with the purpose of delivering decisions to business leaders. Throughout this book, you will see the terms “information security” or “cybersecurity” used, and in CI-DR there are distinct differences, but for the purposes of this book these terms will be synonymous.