How Booz Allen Hamilton Prepares Organizations For A Cyber Crisis

[00:00:07] What actually happens inside an organization during the very first few hours of a cyber attack? And why do so many companies regain control quickly, while others descend into confusion and chaos? In cybersecurity conversations, I think we often focus on sophistication of the attackers. The latest ransomware groups, the newest security tools that are entering the market.

[00:00:34] Yet many of the biggest failures during a cyber crisis have very little to do with the attacker at all. They actually come from the uncertainty inside an organization. Teams are unsure who owns the decisions. Leaders are asking for updates every few minutes during a P1 as teams are frantically trying to find out what's happening. And departments are competing for priority, all while the clock keeps on ticking.

[00:01:04] Well, my guest today has spent nearly two decades working directly inside those moments. His name's Andrew Carr and he's a managing director at Booz Allen Hamilton, where he leads the firm's commercial threat detection and incident response practice. And over the course of his career in digital forensics, ransomware response and enterprise incident management, he's someone that's helped organizations deal with some of their most challenging cyber events.

[00:01:33] So it's from that vantage point that Andrew has seen similar patterns repeating themselves again and again. And that is organizations that stabilize the fastest are really the ones with the longest security policies or the largest budgets. Very often that can be more box ticking than anything else. The successful ones are those that understand their own environment with precision. They rehearse realistic crisis scenarios.

[00:02:03] They build almost muscle memory across the entire business from the technical teams, yes, but also to executive leadership and stakeholders around the business. So in this conversation today, I want to explore why the first 72 hours of a cyber crisis often determine the long-term business impact. And why siloed tabletop exercises, yep, are useful, but they can leave companies exposed.

[00:02:31] And learn why leadership discipline plays a much larger role in cyber resilience than many executives realize. So if your organization had to respond to a major cyber incident tomorrow morning, would every team know exactly what to do? And understand how their decisions affect the rest of the company? These are a few of the things we're going to tackle today, but enough from me. Let me introduce you to my guest now.

[00:03:01] So thank you for joining me on the podcast today. Can you tell everyone listening a little about who you are and what you do? Absolutely. My name is Andrew Carr, Managing Director at Booz Allen Hamilton and the Commercial Incident Response Practice, where I oversee our threat detection and response team. I've been in the digital forensics and incident response space for almost two decades now, both in the forensic side, ransomware negotiation, academia, you name it. So I've been involved in hundreds, if not at this point, thousands of incidents.

[00:03:32] And so I service our commercial clients to try and help them prepare and respond to these cyber incidents that are popping up. And digital forensics is an exciting space, something I've been following for some time, incredibly exciting. I think in a former life, I'd love to be involved in that. But I mean, you've worked on incident response in some of the most sensitive environments, from national security to enterprise infrastructure. But when you look at today's threat environment and everything that you're seeing,

[00:04:02] where do organizations still underestimate their own exposure? Because you've got somewhat of a unique vantage point here. Yeah, I would say kind of the most critical underestimation is in relation to supply chain risk. We've seen a number of headlines recently related to that, but it continues to be something that I think doesn't get the exposure within an organization that it deserves.

[00:04:25] And I think the impacts of those supply chain disruptions can be underestimated as well. You know, there might be regulatory or breach notification obligations for their customers or clients, employees, business partners. And I think it's just something that because it's outside of the organization, it's seen as someone else's problem. When in reality, you know, it really needs to be something that the organization takes a tough look at

[00:04:52] and anticipates how those disruptions might impact them. And when doing a little research on you, I was reading that you've said that most failures are not about attackers' sophistication, the tools they're using, but it's more about a lack of internal clarity. So what does understanding your environment, it's a phrase we hear a lot, what does that actually mean in practical terms for boards and executive teams and indeed business leaders listening to this conversation today?

[00:05:21] Absolutely. So a word I would focus on is precision. Good enough is not good enough. Many organizations that we come into, they've done some work in this area and they've tried to map out their external attack surface generally, or they've created an asset inventory that, you know, is maybe updated once a year. But unfortunately, when it comes to an active incident, you know, that good enough is not going to work. It's going to create confusion. It'll create blind spots.

[00:05:49] So that precision in that understanding of the environment is going to be critical for, you know, helping us get in there, work quickly, efficiently, and effectively with their internal teams to get the organization back up and running should one of these incidents happen. And additionally, it creates an opportunity for kind of improvement as you go through these exercises.

[00:06:14] You start to see where maybe you're overlooking things or maybe there's a new department that comes online that has interrelation with others that you just weren't expecting. So it really helps you stay on top of what's going on in your organization. And it's often said that the first 72 hours of any cyber crisis are the most decisive. And from your experience, what separates organizations that stabilize quickly from those that spiral into confusion during that window? Because a lot happens.

[00:06:42] It doesn't matter what plan you've got in place. I think it was Mike Tyson said everyone's got a plan until you're smacked in the face. But when that P1 hits, everything goes out the window. But tell me more about that. Yeah, so I'll touch back on that precision piece. If you really know everything in your environment and you know how it interrelates between departments, you can quickly move when something like this happens. We're not trying to figure those things out on the fly during those first couple of days.

[00:07:10] We know everything and how it interrelates. We know everything that's available to the attacker. We know where the sensitive information is stored and what they're going to be looking for. So that allows us to quickly move, quickly determine those risks and understand what it is that the threat actor might have done while in the environment. Additionally, it helps the organization understand kind of that minimum viable company piece where they can understand what they can live without for three days, six days, two weeks,

[00:07:40] which can allow us to focus on the most critical assets to get them back to kind of status quo, if you will. There'll be many people listening that inside their company, they run those tabletop exercises within a single department, probably a tech department. But why does this siloed approach fall short when real enterprise-wide incident unfolds and key applications are missing, etc., and folders are inaccessible?

[00:08:07] Is it important to have a more collaborative approach and bring in stakeholders too? Yeah, I think as far as those kind of departmental level tabletops or exercises, if you will, those are very important for helping those pieces of the organization understand their capabilities and who's doing what. But overall, we need to understand how that department is going to interact with other departments and how the organization as a whole is going to prioritize things.

[00:08:36] So, you know, those are important, but should be looked at as a broader strategy, both at the technical level, executive level, across the organization, so that each department knows what it needs to do and how its actions will impact the actions of other departments and the organization as a whole. You know, once a year is kind of the base minimum for that muscle memory piece of it.

[00:08:59] But really, these individual departments should be looking at these on almost a quarterly basis from different perspectives, a ransomware one, a supply chain disruption, you know, you name it. We need to work out that muscle memory, but from different angles. When everyone believes that their function is the top priority, we see this a lot with stakeholders around a business, and every function feels that they are the most important, especially during a breach.

[00:09:27] And when people are trying to fix those particular problems, there'll be people asking for updates every 10 minutes from every department. So how should leadership structures and decision-making and what kind of structure should be in place here for when the inevitable escalation arrives to avoid that analysis paralysis or avoid getting distracted or firefighting? Yeah, so it's important for the organization to understand kind of that minimum viable company.

[00:09:56] They need to know what core functions are required to keep the wheels turning. And sometimes that's different for each organization. But if you don't go through that process, you're not going to understand the ins and outs of the mapping between departments. You know, what if this piece of infrastructure goes down? How does that impact the overall organization in relation to that minimum viable company? And it also helps set priority.

[00:10:24] If there's no priority set, every department is going to raise their hand and say, hey, you know, we're the most important. We need to get back up and running. When in reality, that department, while important, may not be required for those first few weeks while things are kind of getting back up and going. So it's something where if you don't approach that with specificity and, like I said, precision,

[00:10:47] it's going to leave a lot of wiggle room that's going to create a lot of issues and, you know, frankly, conflict during a time where we should be facilitating, you know, communication and cooperation between departments to get everybody back up and running. If we're fighting for priority, it's just going to slow things down across the board and no department is going to benefit from that. And I do think there has been a mindset shift from a decade ago when many boardrooms struggled to see the value in something that might happen one day.

[00:11:17] I think we've all seen in recent years it's not if but when. We've seen so many different examples there. And there's this thirst for change and wanting to move to a more proactive approach to cybersecurity rather than reactive. And you yourself have emphasized that building muscle memory before an incident occurs is incredibly valuable. So what does a realistic rehearsal look like?

[00:11:41] And how should an organization or a leader listening be training to make those instincts feel almost automatic when the inevitable happens? Yeah. So like I mentioned before, kind of the annual test is almost a minimum requirement, right? But bringing it up to a quarterly, having both technical executive exercises, you're going to want to make those realistic from a perspective of, you know, what that particular organization might encounter.

[00:12:11] You want to ensure that it can be sufficiently disruptive as part of the exercise, right? So, you know, it's probably not going to take down just one business unit. Typically, we see these attacks will take down, you know, half of the company or everything. So taking it from perspective of if everything went down tomorrow, how can we approach it?

[00:12:30] And then also, you know, not just going with the buzzwords of like ransomware and some of those others, you know, looking at some of the secondary types of incidents that might occur, whether it be a breach to an AI model or a supply chain disruption or attack on a vendor, something like that.

[00:12:47] Trying to approach it from different perspectives is going to give the organization an understanding of how those different plans will play out in real time, what different business units are required to have involvement in those particular types of incidents. But again, just trying to repeat that process with regularity so that it's not new. It's not novel to everyone involved in the process. I mean, even think of just new oncoming staff.

[00:13:16] If we only do this once a year, there could have been a number of people that came on to the organization since that last exercise that unfortunately would be kind of in the dark aside from maybe an instant response plan. And many organizations over the years have, to their credit, invested heavily in policies and tools, but they still find themselves struggling when a crisis hits.

[00:13:37] So in your view and from what you've seen, your experiences and insights here, what role does leadership discipline play in turning cybersecurity from that technical function that it's often seen as into an enterprise-wide responsibility? Is that a difficult message to deliver as well? It can be. Cyber incidents and cyber risk, they're an organizational risk, and it needs to be approached from the executive team as such.

[00:14:06] This isn't just a CISO job or a CTO, CIO job anymore. The old adage of, that's not my job or that's someone else's, that doesn't cut it anymore. The leadership of each business unit and the organization as a whole needs to be informed. They need to have at least a basic technical competency when it comes to these risks and how they can be avoided and remediated.

[00:14:31] It's no longer appropriate just to pass this to the IT or security team because if we're doing that, they're operating in a vacuum that may not take into consideration all the ins and outs of what the executive leadership has in mind should something like this occur. So it's really ownership of that risk, ownership of the process, and getting involved.

[00:14:53] And for any leader listening who wants to strengthen their preparedness tomorrow, maybe want to listen to this podcast, and the reason they're listening is to take that valuable takeaway. What is the first cultural or even structural shift that they need to think about or make to ensure that that next exercise that they take truly reflects the pressure and complexity of a real attack? You must have seen a lot of examples here, some good, some bad, but what would you like them to take away and try?

[00:15:21] Yeah, so I think the first step is they need to define their minimal viable company. And then working on a scenario that's going to push that to its limits. Everything's great on paper. And as you said before, the Mike Tyson quote, we really want to stress test the environment. This shouldn't be easy. This shouldn't be something that everybody just kind of, you know, half pays attention to. It should be straining. It should be difficult.

[00:15:47] And it's something that kind of tests the abilities of those involved so that they can improve. We don't get better at anything if we're not pushing ourselves outside our comfort zone. So really defining what that minimum viable company is and pushing it to its limits in the scenario are really going to help you identify those weaknesses, identify areas for improvement, which ultimately is going to set the organization up on a better footing going forward.

[00:16:14] And one of the things I always try and do on here as well is allow my guests a moment to bust a few myths and misconceptions that they may often read online or just even untruth sometimes that you see about the cybersecurity industry. So what would you say people most misunderstand about your industry? Or are there any myths about your job or field of expertise that we can lay to rest today? Anything spring to mind there?

[00:16:40] I would say just looking at it from a purely technical perspective. Obviously, there's a lot of technical things that we as incident responders do. But a lot of what we do is communication, is coordination, is kind of quarterbacking the situation, right? It's helping the organization work through these pitfalls that inevitably come up, the unforeseen circumstances that we've probably seen hundreds of times.

[00:17:07] And working with the organization to prioritize those business functions, work with internal teams to help get things up and running. A lot of it is in more of those soft skills, right? It's well beyond just the hands on a keyboard, investigating and digging for data and doing all of those things.

[00:17:27] That's one piece of a larger function of instant response teams where we're trying to help supplement the organization's executive staff to get those business units to a place where they can keep the wheels running and keep the lights on. So, looking ahead in your personal career and indeed for Booz Allen, anything you're focusing on this year? Anything that you're looking into, watching closely?

[00:17:55] There's a big talk about agentic AI and numerous agents going out there. But anything that you're monitoring closely excites you, worries you or anything in between?

[00:18:32] Yeah, absolutely. What types of systems is that agent connected to? And, you know, as we've seen in the last year or so, there have been a number of instances where agentic AI platforms had very simple vulnerabilities associated with tokens and the like. So, it's understanding those risks, understanding how you can mitigate those. And then if, you know, something did happen, how we would go about an investigation of that to help them understand is there a risk to the model?

[00:19:02] Does the model need to be retrained, decommissioned? Just understanding that so that while they can use AI and gain from its productivity, they're not just eschewing the risks and responsibilities that come with that.

[00:19:16] And I'm curious, if we were to take all the conversations that you're having with customers all around the world and all the tech conferences and everything that you're seeing and hearing out there, if you put all that into a big melting pot, are you seeing any trends in the kind of things that businesses are looking for help with, etc.? Anything you can share there around what you're seeing on the ground floor this year? Yeah, so I think the biggest thing comes from conversations regarding resilience.

[00:19:43] I think it's still something that many organizations struggle with because they don't know if they're doing enough, too much. It's really a balance. And I think they're typically looking for guidance on, you know, what is it that we need to do to put ourselves in an appropriate position because no one's ever going to prevent every attack. You know, there's just too many threat actors out there. There's too many, you know, entries into an organization. So it's trying to have an assessment of where do we find that balance?

[00:20:12] Where is the level of resource spend appropriate? What tools and technologies can we implement that are effective and appropriate? Just trying to set themselves up for success. I think everyone has come to terms with the fact that it's not if, it's when. So just trying to really dial in the best bang for their buck and what the things are that they can do that will prevent the majority of things and essentially make them a hard target. And I think that is a powerful moment to end on.

[00:20:42] But before I let you go, for anybody interested in connecting with you, learning more about Booz Allen, maybe following some of the big announcements that will be coming out throughout the year. Where would you like to point everyone listening? Absolutely. So you can find us at BoozAllen.com. You can find me on LinkedIn. Not incredibly active on there, but I certainly put some nuggets of information out there from Booz Allen. Happy to interact with anybody that has questions about what it is we do in the incident response space.

[00:21:13] But yeah, that's the best way to get a hold of us. Awesome. And I think the big message from talking with you today is we can't control the adversary or even predict which parts of our infrastructure will be impacted. But we can control how we prepare and how often. And I think that's often where the biggest gaps lie. So I would have links to everything that you mentioned there. I'd also like to throw this out to everybody listening. There'll be a blog post associated with this episode at Tech Talks Network.

[00:21:41] Please share with me your insights, your experiences, what you're seeing and hearing out there. But more than anything, just thank you to you for starting this conversation today. Thanks so much for having me on. Really appreciate it. I think when a cyber incident unfolds, what separates organizations that regain control incredibly quickly from those that spend weeks trying to understand what happened?

[00:22:06] As my guest explained today, the difference often comes down to preparation that goes far beyond technology. Cyber resilience is actually built through clarity, rehearsal, leadership discipline. And it's the organizations that understand their own environments in great detail. Only then can they move faster during an attack. And teams that rehearse realistic scenarios, they're the ones that develop this muscle memory needed to act under pressure.

[00:22:36] And companies that define their minimum viable operations ahead of time, these are the ones that are able to navigate and avoid the chaos of every department competing for priority during a crisis. But one idea that really stood out to me was the importance of treating cybersecurity as a leadership responsibility across the entire business. Incident response cannot sit solely with the security team.

[00:23:02] Every department now plays a role in recovery, communication and decision making when those systems go down. And without that shared understanding, even well-funded organizations quickly find themselves stuck in analysis paralysis when every second counts. And I think Andrew reminded us that incident response is as much about communication and coordination as it is about technical investigation.

[00:23:30] And it is that ability to guide teams through uncertainty, set priorities and keep the organization moving forward. These are the things that determine whether a crisis becomes a short disruption or a long-term business setback and appearing in the news headlines for all the wrong reasons. But for anyone listening, if you want to strengthen your own preparedness, I think the message is simple. Stress test the organization before the attacker does. Push scenarios beyond the comfortable assumptions.

[00:23:58] And identify the weak points while the stakes are still low. But after listening to this conversation, I want you to marinate on this for a while. How confident are you that your organization could respond with clarity during the first 72 hours of a cyber crisis? If you would take one thing away from this conversation, it's that you'd go away and think about that. And maybe share it with me. Share it with my guests.

[00:24:25] You can reach me, of course, at Tech Talks Network. 4,000 interviews there. You can leave me an audio message, DM, social channels. You'll find everything there. But let me know your thoughts. If you've got anything you want to add to the conversation, if you'd like to come on here and share your side of the story, I'd love to hear from you too. But that's it for today. So thank you for listening as always. And I'll speak with you all again very soon. Bye for now.