This article was first published in VentureBeat.

The hidden gap in cyber recovery: What happens when roles and processes are overlooked

Today’s current cybersecurity initiatives, such as zero trust, have a core underlying philosophy: assumed breach. Whether it’s a nation-state or an insider risk, the reality isn’t “If I get attacked,” it’s “when.”

But the threat landscape never stops evolving, regulations change regularly and every security plan is potentially obsolete 30 seconds after it’s written. Continuous testing and refining is critical, as is having the technology in place — but the people and processes are foundational to cyber recovery (CR), says Alan Grantham, VP, Security Consulting at AHEAD.

“There’s a bit of wishful thinking in many organizations,” Grantham says. “Everyone says, I have an immutable storage vault. I have a copy, an isolated clean room, I’ve operationalized standby production and they stop there and call it good. But every step of cyber recovery requires people and process as well as technology, and those plans need to be tested until they’re as ironclad as possible.”

In other words, an organization might have those immutable snapshots — but it also needs to have processes in place to move data from one location to another, maintain segregation between compromised and clean data and prioritize functions, and even a strategy for anticipating and managing the expectations of business leaders, when it comes to what’s going to be available when.

It’s not an engineering problem, Grantham adds, it’s a business problem that requires people and processes to handle.

“If you don’t have stress-tested and refined processes, procedures and roles defined to get those critical functions back up and running, you end up having to figure that out in the heat of the moment,” says Wally Guzik, AHEAD’s Service Delivery Senior Director. “You need to prove ahead of time that there’s a process and a methodology established, and critical personnel have the information they need to set recovery in motion.”

People are the heart of cyber recovery

There’s a big difference between disaster recovery (DR) and cyber recovery. For DR, infrastructure and backup teams are the central players and an organization can be up and running in no time. Cyber recovery, however, involves the entire business — backup teams, network teams, cloud personnel, incident response teams from security, teams that are validating the active directory before restores, as well as the application owners and business owners that depend on those functions. That’s a huge number of moving parts, relying on the most potentially fallible part of any recovery plan: people.

Frequent testing and validation not only provide essential training, they also challenge assumptions about the organization’s level of preparation, and the gaps those create. The sheer complexity of cyber recovery means that the tiniest details might slip through the cracks. For instance, you need to make phone calls — so you actually need to have those phone numbers on hand. You need to validate an end user but you can’t assume the configuration management database is going to be online — so you have to make sure you have an up-to-date copy in your isolation vault.

“There are bigger questions that you only get to by testing your process,” Grantham says. “Whatever your business is, it’s about looking at that data and saying, how do I provide access in this modified environment? For every one of the applications supporting that, having a run book to say, this is the people, the process, linked to the technology to get me to a user in the system performing their daily function because they need to be able to do their job. That run book gets them there. If your data is just sitting on a hard drive in the middle of a data center, how does that help your business?”

Cyber realism and recovery strategies

Business impact analysis, to determine critical business functions, is the first step of developing a plan — outlining business functions, what applications and data supports those business functions and what underlying infrastructure is required to run those applications, and what’s absolutely, bare-minimum critical for running the business while recovery continues in the background.

“A lot of organizations either don’t want to spend the time and money to do that, or they believe internally they’ve done something similar to that already. Again, this starts to lead down a path of making assumptions,” Guzik says. “It’s a challenge to get organizations to be honest with themselves as to where they’re at and where they need to get to and how we can get them there.”

Every department or team in an organization believes their applications and processes are the most critical to the business. What Grantham calls cyber realism also comes into play here — stripping down expectations to be realistic about what’s truly necessary and what’s not. Even with critical applications defined, an organization needs to drill down into which functions are necessary to the business and then layer them in. Recovery and validation drills are a way to concretely demonstrate how to determine which systems actually keep the business up and running, as is a neutral third party that can guide business leaders through the scrutiny of their systems and testing.

“When they discuss cyber recovery, our customers often see the mountain, rather than a journey of foothills which might add up to a mountain,” Grantham says. “But I don’t have to get all my applications up. I need to get more core infrastructure up, and then if I get these 20 applications up, we’re still in business, and then we can address the rest of the process. It’s still going to be painful, it’s still going to be ugly, but I’m not going out of business.”

Continuous protection comes from continuous evolution

“The idea that cyber recovery strategies require continual evolution, just like zero trust is an evolution of different identity standards, is not something that a lot of businesses have accepted yet,” Grantham says. “They’re still approaching it from a board level, saying that I’ve bought one and I’m done. No, this is a continual cost of being in business, an investment into the protection of your customers, service commitments and bottom line.”

There’s never a “done” with cyber recovery, Guzik adds.

“There’s always something you can do better. There’s always an efficiency to be gained. There’s always another test that can be done to validate and give people more confidence,” he says. “Practice, practice, practice. You want your teams to understand their roles and be confident in how they’ll execute. Then that builds leadership’s confidence in the ability to recover.”