Simulations – Use Them Often and Everywhere for Information Security Improvements

Simulations – Use Them Often and Everywhere for Information Security Improvements

Information security best practices.

Practice makes perfect! This especially holds true in the world of information security where awareness and response capabilities must always be tested to prepare for and avoid breaches. Simulations of security events not only help you react and respond during an actual incident, they can also be used to proactively educate your workers so incidents are avoided to begin with. While planning and delivering security simulations can be time-consuming and stressful, they will definitely improve your information security program.

Prepare for the worst

If you have ever been involved in a real world breach response, you know that having a response plan on paper doesn’t necessarily mean you will respond effectively. Since the documentation was created, any number of variables may have changed, such as decommissioned or broken security technologies, new employees, updated contact information, etc. That is why ongoing simulations are needed to help uncover your weaknesses so you can minimize damage during an incident.

Yes, creating formal documentation around incident response scenarios is important, but only when the documentation is truly ALIVE. How do you inherently make response plans ALIVE? The best way to mature your organization’s response capabilities is to regularly perform tests with different incident simulations and then immediately apply the learnings from those tests to your process documentation. This creates an ever-maturing response function.

You may be the first to party after a successful simulation, but do not forget your Third Parties before the simulation!

Engaging all relevant resources throughout a simulation is critical so they understand their responsibilities. As organizations increase their dependencies with third party providers, it is critical that these third parties are pulled into security scenarios as well. Your company brand could be dependent on another organization’s ability to respond, so do not leave them out of your testing. You might also need to adapt your current contractual processes to ensure testing/simulation activities are baked into third party contracts. Every new agreement should contain language around testing and incident response accountabilities.

Educate with Real-World Examples

Do not underestimate the importance of using real simulations or simulation examples to educate your workforce. For many workers, this is the only way they learn, so keep this in mind when devising information security awareness campaigns. The most effective training programs engage workers with real-world simulations or events that they might experience in their personal lives. People retain this type of education better than a boring corporate security training exercise that appears to only have the company’s best interests in mind.

Leverage Private Scenarios to Help Corporate Goals

As lines blur between a worker’s private and corporate life, a blurring of corporate and private security merges as well. Obviously, when identity theft occurs, it impacts a worker’s productivity as they deal with their personal issues. The time required to address private breach issues can also extend into work hours, which impacts organizational operations.

The shared use of corporate and private identities is driving broader identity management concerns as well. Corporate account naming conventions and passwords are often shared between private and corporate systems, so focusing education efforts toward real-world, private security measures actually improves corporate security as well. From a security standpoint, a worker’s personal life can directly impact corporate security as account/password sharing, BYOD and other social media activities become intertwined.

Some organizations are executing internal phishing simulations to test and train employees. This is a great way to help your first line of defense learn the business impact from their mistakes. Plus, it helps them in their private lives, which ultimately improves motivation and organizational productivity.

Simulate Information Security Events and Improve

Developing simulations around various security events makes your entire response team more effective so they can react appropriately during an actual event. Simulations also uncover broken technology and broken processes, which lead to overall operational and security improvements once those processes are fixed. Finally, applying real-world scenarios to security awareness campaigns will engage your workforce and improve their security IQ making them an information security asset rather than a security liability.

IT Service Catalog Best PracticesGet the Free Top 10 IT Service Catalog Best Practices Workbook

A successul Service Catalog roll-out requires careful planning, strategic decision-making and innovation. Before you start your IT service catalog initiative, learn from industry experts. Sidestep challenges that derail projects. Get our Top 10 Service Catalog Best Practices — The proven guide for successful implementations.

Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.

Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).