How to Handle Third-Party Cyber Incident Response

To handle supply chain attacks, ransomware and other incidents, companies need cyber incident response plans that include third parties. In this interview, Marianne Bailey of Guidehouse shares her lessons learned from handling major events in government. 

In this interview with Richard Pallardy from InformationWeek, she provides detailed advice on how to renegotiate agreements with third-party providers, ensuring the highest possible level of response to an attack. 

Talk to me a little bit about incident response simulation tests. How are they best run? What kinds of gaps should they be probing?

"It's really good to do tabletop exercises. They're very, very effective when it comes to incident prevention and incident response. Companies should do them every single year. There are so many people that have a role in response that you don’t typically think of. You think the IT department has to fix it. Maybe the chief information security officer has a role in it. Well, guess what? So does the CIO, the CEO, the CFO, and the CPO. These people need to know their roles when the chaos comes. During the chaos is not the time to figure it out.

 

I was at the Pentagon when there was a huge theft of Office of Personnel Management (OPM) records by the Chinese -- 24.5 million people's records, 80% of them Department of Defense people. The Secretary of Defense decided we were going to do the response action. It was the first time we'd ever responded to an incident like that. It became incredibly political. We were briefing Congress. We were in the White House talking to them. I met our CPO for the Pentagon and the DOD for the first time during that ordeal. It was obvious that it was going to cost a lot of money. But we had to figure out where we were getting the money and how we were going to respond to it.

 

The White House decided they wanted us to send out paper letters to every person affected. Just the logistics of finding them was a whole ordeal. My team came to me one day and said, “We need another $500,000.” I'm like, “What is that for?” Stamps. We had to find somebody who could print the letters. What organization has these massive printing presses and can print these letters? We had 30 days to do all this, by the way.

 

Unless you're involved in something like that, you don't realize all the different pieces and parts involved. Every day, I was just learning and learning and learning. Running tabletop exercises really helps a lot. You do mock drills. We've had an incident. This is what's happening when we encounter it in real life."