Immersive Labs’ Max Vetter on Closing the Skills Gap Across Cyber Teams

[00:00:04] Welcome to The Business of Cybersecurity, a podcast which is part of the Tech Talks Network. My name's Neil C. Hughes. You may know me from the Tech Talks Daily Podcast, which covers a completely different area every episode. And in this series, The Business of Cybersecurity, I explore where security and businesses intersect. Well, joining me today is Dan Potter. He's the Senior Director of Operational Resilience at a company called Immersive.

[00:00:34] And he's also an expert in helping organizations prepare for and navigate those nasty cyber incidents when they occur. One of the reasons I'm excited to get him on the podcast is his belief that effective management comes down to preparation, structure and continuous learning. So together, we will explore how leaders can learn from major cyber incidents, the key components for a decision-making framework,

[00:01:02] and the essential steps for managing a crisis before, during and after that it strikes. So, how prepared is your organization for the next inevitable cyber incident? And more importantly, how ready are your leaders to steer the ship when that storm eventually hits? Well, let's get Dan Potter onto the podcast to discuss all this and much more. So, a big thank you for joining me on the podcast today.

[00:01:31] For everybody hearing you for the first time, can you just tell them a little about who you are and what you do? Yeah, Neil. Thank you. Good to be here. So, my name's Dan Potter. I am a Senior Director of Cyberdrills at Immersive. And my job is really to help organizations run cyber drills, so technical exercises, free-to-executive exercises, so that they can help prove and prepare themselves for cyber disruption.

[00:01:56] Background, spent over 15 years in financial services and various roles around business continuity, crisis management, cyber incident response and exercising. So, that's very much my background. Well, thank you for joining me today. And it's those exercises you mentioned and preparing enterprises for cyber disruption is one of the reasons I invited you on the podcast today. I don't want to start on a downer here, but cyber crisis like MoveIt or Log4j,

[00:02:25] they've all had significant impacts on organizations around the world. So, my first question to you has got to be, I mean, what key lessons can business leaders take from these famous incidents that we've seen dominating our news feeds, especially when it comes to managing future cyber crisis? Anything that you would share around that? Yeah, and they're great examples. And it's a good point to start off with. And it sounds obvious, but it's always if we want to be ready,

[00:02:53] we have to keep in mind leadership that it's a question of when, not if. You know, those that MoveIt, Log4j, they're kind of supply chain events where the cascading impact of one of your suppliers could have a really detrimental impact on your own business. Just one example. And so, the sort of things I would always advise leadership in any organization, it's kind of obvious. Invest in the basics, right? Understanding your IT estate and your business processes.

[00:03:20] How many people struggle to understand where MoveIt or Log4j sat within their ecosystem, supply chain systems to, you know, how long did it take to work that out? But also, you know, cyber crisis. Think about the interconnected way any business operates. So, you know, problem over here can have cascading impacts. Might not be directly cyber, but, you know, operational disruption over there for your business. How do you know about that?

[00:03:43] On the basics, patching all of that good stuff, that discipline, having asset inventories up to date, but also, of course, playbooks and procedures. So, understanding who will do what and when. What's the escalation path? One of the things I think those examples show is, you know, do leaders trust the process that their teams put in place and the playbooks and procedures?

[00:04:06] Or do they react to something they see on the news and then start jumping in and intervening and asking for updates from their security operations team or technical teams, leadership teams? How does that either help or hinder? Because I've seen it in both ways. You know, people not following the process, inserting themselves into something because they want information, because they're reacting to something on the news cycle. And that can be helpful or not, as may be the case.

[00:04:34] Then I think the final thing that all of those incidents say, focusing on the basics, understanding your estate, having good process in place and escalation paths, is never lose sight. If we're going to be ready, you know, when, not if. We've got to think about the collective impact, particularly of those kind of examples you gave me, even in Log4j. They impacted multiple organizations. And how you respond, technically, is really important. How do you mitigate, eradicate, contain the disruption?

[00:05:02] But also, how do you communicate externally? Because then we can probably come on to this, kind of the notion of the court of public opinion. You're going to be judged on your actions, even if they are technically brilliant in the way you respond. The way you externally communicate will certainly be all over social media very quickly. And that's something you need to keep in mind.

[00:05:23] And I think that is such an important point, because having that emotional reaction to scary news headlines around threats and attacks and being judged on your next move, those things alone mean that decision-making under pressure is a critical skill during any cyber attack. And I think it's something we don't talk about enough. So what would you say are the essential components of a well-structured decision-making framework that leaders should have in place, so they don't make those rash emotional decisions?

[00:05:52] Yeah, and I think that's such a key point, that we all instinctively in a crisis sort of fall into the trap of reacting on instinct and gut, you know, this is what I feel to do. And then we're not following that decision-making framework that we need to have. And I think, and I've seen from my time in financial services and working with an organization today, it's imperative that you have confidence in the various teams that are involved in your decision-making framework

[00:06:18] and recognizing at what layers of your organization do certain types of decisions need to be made. Because if you have confidence in your security operations team to quickly identify this, or your public relations team to communicate X, Y, and Z, whatever that needs to be, you can build trust, and you can build trust in that decision-making framework. All too often, that trust breaks down. It's just not there, right? And I'm certainly guilty of this in the past.

[00:06:45] I've created huge playbooks and procedures, you know, brilliant for compliance. When the moment of crisis comes along, not necessarily followed. And I think that was down to a lack of confidence or understanding of the process, part one, but also a lack of trust in capabilities. And that's what we've got to really recognize. I think the other thing, and whilst I'll always place great emphasis on playbooks, procedures,

[00:07:10] you can't not have them, you've got to recognize that every incident is going to be different in any organization. You've got lots of smart people who all bring different perspectives, who are all well-intended. They want to do what's right for your organization. They all need to come together very quickly and make collective decisions, and they'll all have that different perspective. It can be really powerful and really kind of amazing in the moment of a crisis

[00:07:35] to see those silos in a business break down very quickly, the silos in any organization, because we're on mission. We understand what we need to do. So we're therefore taking, you know, good decisions or bad decisions, but we're following some decision-making framework. And just having that framework to guide that decision-making and making sure, to the earlier point, right, leaders at the C-suite aren't inserting themselves into technical decisions,

[00:08:03] technical leaders aren't trying to solve external regulatory compliance communication strategies. Play to your strengths, but break down those silos in the process so that you have the kind of a real team spirit across those different organizations. But I think really key, and I've seen this in real incidents many times, psychological safety, because you will make, even if you've got the best frameworks and the best technical capabilities and the best leadership decision-making framework in place,

[00:08:33] you know, we will, with hindsight, have made mistakes. We could have done things better. And obviously in a cyber crisis, you know, we can get really blinkered really quickly, and we need to be able to call each other out and say, hey, Neil, are you sure that's the right decision? Like, you're sounding really confident, but are you sure that you've considered all the possible things? So we need to be able to not blame people if we make wrong decisions, but also at that moment of crisis in the decision-making framework, have confidence to be able to call you out, not in an aggressive kind of blame game culture,

[00:09:02] but say, how sure are we that this is the right thing to do? But without spending, you know, hours and hours in inertia, not making a decision. And that comes back to what's the framework we're going to make for decisions, and do we trust each other, and do we have confidence in their respective knowledge, skills, and judgment? For me, that's the key thing. It's that framework, trust and confidence between different teams, recognising where people play to their strengths and what roles they need to adhere to and follow.

[00:09:32] There are just so many great points there. Pure gold for me. And I'd love to try and bring to life some of what you said there, and maybe think about a real-world scenario. Let's imagine a business leader listening. They've just had a cyber crisis here. It's all over the news. They are impacted. Every decision they make could have far-reaching consequences. What should that leader prioritise in those opening hours of the crisis to minimise damage and maintain trust from the outset?

[00:10:01] I appreciate every attack or crisis is different, but where should they begin? Yeah, it's a great question, right? And I don't envy, you know, having seen leaders respond to various incidents, various cyber crises. It's difficult, and I think let's recognise that. This is not ever going to be easy. In fact, the more you prepare, the better and easier it will be, but it's never going to be this simple thing. But in those first few hours, I think it's really important to recognise

[00:10:28] that you could get blinkered on a particular issue very quickly, especially in the first stages of a cyber attack. You're going to get lots of technical information. You're going to have lots of unknowns. So figuring out the unknown knowns at this point, but not getting blinkered on a particular, this was the entry path, or here's, you know, they've made lateral movement on XYZ server to XYZ box, or whatever it may be that this technical team were giving you, is kind of, yes, understand that,

[00:10:57] but take a step back and understand the bigger picture and look at the bigger picture at that leadership level. Like, don't get fixated on one particular problem because that is the immediate thing in front of you, but it's probably going to lead to 10 other problems, and you need to be elevating your decision-making and empowering those people who are best placed to make that immediate decision about that particular technical aspect, for example, or the communication to customers. I think the other thing in those first few minutes

[00:11:25] and hours of a cyber incident is it's very quick. You know, the energy's going. Everyone's kind of, you know, fearful. They're engaged. They're all different. As people get brought into a cyber crisis, they're all coming in, obviously, with different perspectives, but they're coming in with different understanding of the situation. So making sure that you level set what the situation is so that everyone in the room making decisions understands as best they can what is happening,

[00:11:54] but then that you are very clear in assigning out those actions. And the other key thing about that is you might, good cyber crisis response, you might just need a core group of very senior people in the room to make the overall strategic decisions for your firm, and there's all sorts of good reasons for that, but you need to be able to communicate out. So all too often, you know, you can think about the crisis team getting together, making a decision, feeling that they've assigned that action,

[00:12:21] but actually nothing's left that physical or virtual room. Well, they're not communicating out in a way that makes sense to the rest of the organization. So you could become quite isolated without realizing it very quickly in that initial stage. So making sure you've got a clear way of external, not externally communicating outside your organization, but communicating outside that bubble of the immediate core crisis leadership team. I think the other thing in the first few stages of an incident,

[00:12:49] it's always important is sort of building on that point about not getting blinkered on an immediate issue, thinking about the strategic picture, particularly with say a cyber incident, let's not forget we're being attacked by individuals. So unlike a natural disaster, which is awful, of course, and far reaching implications, but relatively contained in a geographical area, you know, they don't, natural disasters, mother nature, and all of that good or terrible stuff, is the way to think about it.

[00:13:18] But when you're being attacked by a cyber attack, you know, there's attackers on the end. There are people with distinct motivations. What's their end goal? Is it simply criminal activity and they want to make some money out of you? Is it an activist group with a political motivation? Is it a nation state? I think that's important to not lose sight of because that might inform your response. And a final recommendation, that early stage, I don't think firms often engage

[00:13:47] sort of the wider community quickly enough in those early stages. Some firms do this really well, but think about, you know, threat intelligence sharing organizations, the informal and formal networks, you know, the cyber community, we're really good at collaboration and, you know, being able to speak to, if you're a CISO peers at similar sized organizations or through the formal government or public sector, you know, public or private sector information sharing networks

[00:14:17] to understand what's happening and to get as much intel as possible is really vital. But you need to know who those networks are, where they exist, so you can make most use of it. And that's key. Who are your key people in the room? I think. And of course, if it's a large scale data breach, for example, the boardroom will be immediately nervous and sweating because of the potential fines and indeed commitments to things like GDPR, NIST 2,

[00:14:47] the upcoming cyber resilience bill here in the UK, that could raise ethical dilemmas around whether to disclose breaches immediately or how much information to share. So how should leaders also navigate these challenges while balancing transparency and security and so many other different aspects? It's an incredibly stressful time, isn't it? But what should they be doing there? It's definitely stressful. And you're right. Like, it's really important to understand all those different obligations you have and to which stakeholders and understanding, like,

[00:15:16] who in your team, in your crisis leadership team is responsible for communicating with which agency, which stakeholder set at what point. To your question, though, like, this is a difficult dilemma. You know, every situation, of course, is different and each organisation will have its own risk appetite. But I will come back to this kind of court of public opinion. You will be judged on your response. You will see news outlets commenting, and we saw this with high-profile incidents last year.

[00:15:47] You know, Company A made really great statements. The CEO was very forward-footed in how they responded. Other organisations weren't. So you need to think not only about how you're technically responding to the incident, but how the media, how the wider public might react and judge your response. And that leads to a conversation of, well, what should we disclose where and when? And what's that stakeholder map of communications we need to give? I see lots of times organisations, you know,

[00:16:16] they know that they've got to notify for GDPR, you know, within X period of times we've had a breach or to the PRA or the FCA and financial services. I'm definitely of a view of, yes, you'll have the formal notification. And that brings with it lots of detailed reporting that you need to do and that is time-consuming in itself. But I would always say regulators, they understand. They understand the situation you're in. So the sooner you pick up the phone and even just give them a heads up, hey,

[00:16:45] we are responding to this, we are looking into it, we don't have all the information now, we are preparing our formal submission. That, you know, that kind of heads up call is so much, it's of so much value because you're giving, giving them, they understand, like, this is not easy and that you've got to balance investigating the situation and understanding the impact on your organization before you can fully submit the detail that they would want. But giving them that heads up and it's the same with the board

[00:17:15] is absolutely important. I think leaders listening to this conversation, you've got to think about the different perspectives that your legal team, general counsel will have versus someone from your public relations media team versus someone from your customer client facing side of the organization. and, again, this is why preparation's key. Like, what's our risk appetite? What's our response? What channels are we going to use to respond? Are we going to respond on social media? Are we going to have a CEO

[00:17:45] in front of camera? Are we just going to release a press statement? Are we being strategically silent? All of those are valid but you need to sort of work through them in advance and that comes back to that decision-making framework. And I think resilience is key in recovering from any cyber crisis and poor management or poor response to an attack could damage a reputation for up to five years from that court of public opinion that you mentioned there. So, what steps can organizations take after an incident

[00:18:15] to not only recover but also strengthen their defenses and leadership strategies for any potential future threats? Yeah, great question. I'm going to come back to resilience which for me is all about being able to bounce back from a change in circumstance or a shock. And so before I sort of get into that question which is a great one I also want to just sort of tail on the point here because I think it's linked of, you know, if you think of a you're responding to a crisis situation leadership can get very focused on we must notify

[00:18:45] the regulators we must notify XYZ the court of public opinion really key. I think there's real value in having someone in your crisis leadership team who understands your business and they should be doing this in advance which comes on to a resilience question and who at the time of the incident occurring can be in the room not there to respond formally to regulators or to your customers but to almost be put into a role and say you're the client advocate you're here in the room

[00:19:14] representing our business but we want you to wear the hat of our customers or our external stakeholders whatever they may be depending on your organizational fit purely to be there to say hey we're making these decisions we're thinking this is the right thing to do but actually what would help our clients customers external stakeholders most so having that advocate is really key and that coming onto your question about resilience and recovering the more that you invest in that kind of bounce back ability what do I mean by that you know

[00:19:43] the more that you have people prepared to operate with unknown situations limited data you've got the process in place you've got the technology but you've also got the people who have the trust to work together the better you are at being able to advocate the best response for your external stakeholders but also maintain your business and bounce back and you know coming on to the resilience question in this absorb the shock be able to bounce back cyber being the

[00:20:12] most severe yet most plausible type of disruption we can face I still think lots of businesses need to break down silos that probably exist between the cyber team the business continuity team the third party functions but also really with the business what do I mean by that I think CISOs cyber teams you are specialists we are specialists in a particular domain we're never experts in widget manufacturing or releasing payments or accounting whatever our

[00:20:42] business experts in the services goods that they might deliver but the business are and so we need to make cyber response cyber resilience a business imperative and we need to understand what really matters to our business because what we think matters may not actually be true and you don't want to find that out during a cyber incident and then the long sort of tale of the recovery so sort of I would this is a long-winded answer to your question but coming into

[00:21:12] resilience like focusing on working with your business they want to understand the risks educate them on the cyber threat landscape of course but then in turn ask them to say what really what systems what processes what suppliers are really critical to their business what kind of harm or impact could be caused to your organizations customers external stakeholders at what point if you can't deliver a certain thing so that you have this understanding of what

[00:21:41] is absolutely vital to protect and where you need to invest in your resilience capability but also bring the business with you and I don't always see enough people bringing the business with them or I still see disconnects between the business continuity function has one way of looking at the business the cyber team and other risk functions and if you're not all understanding the common imperative for your organization you're not going to you're setting yourself up for failure

[00:22:10] I suspect for many people listening well they've all had that dreaded annual compliance training where they sit at their desk and just hit next for 30 minutes and it doesn't work something that's always baffled me and one of the things that stood up for me about what you're doing is immersive focuses on building cyber resilience through continuous learning so I've got to how important do you think that ongoing training and simulation for leadership teams how important is that and how does it improve

[00:22:39] decision making during these real world incidents because it sounds great but I'm just curious on the real impact that it has as well what have you seen there for me it all comes back to that trust and confidence and capability right if you've got smart people and you can prove it and you understand where there's gaps so let's take your security operations team why would you send them on one training course a year in a threat landscape that's constantly evolving constantly changing why would you do a theory based tabletop exercise

[00:23:09] say how would we respond in this situation you've got to get them hands-on keyboard running through exercises on a frequent cadence to build that muscle memory so that you know if you're in leadership that your security operations team have the right skills and judgment in place to ideally prevent the situation in the first place but of course we know it's when not if but when that bad cyber day occurs they're going to take

[00:23:38] with the best intent they've got the best skills possible I can prove it to my regulators and other stakeholders because we've done regular exercising not just one four hour thing a year and tick box kind of compliance training we've gone through hands-on keyboard demonstration of skills and we've identified where they've got strengths and we've identified where they've got weaknesses and then we've done a program of upskilling there's continuous upskilling at that technical level security operations team right through to the executives right

[00:24:08] I think I still see many organizations their idea of exercising the executive leadership is one exercise once a year four or five hours it's the same people every year they go through the same exercise scenario different flavors of it over and over again these people change you know you've got to in reality these people are all over the place and on the day of the cyber incident in those first few hours we were talking about earlier that core group who went through your one exercise a year

[00:24:37] almost certainly won't be the first responders so you need to get their deputies involved and you need to think about ways of engaging across your organization so you've got that resilience at multiple layers in terms of decision making and people who are comfortable to step up on making decisions to approve a containment action or on approving external communications to the regulator about a gv car breach or whatever it may be and all too often that sort of tick box training it's the same scenario

[00:25:07] over and over again same lessons learned every year and it's very subjective because we're just measuring someone's discussion and you know picking on you Neil Neil you tell me you can reverse engineer this malware really quickly and solve it in five minutes great prove it to me and that's what I need we need the proof because that then builds the trust and confidence that makes us a more effective decision making in a crisis we started our conversation today talking about the importance of preparation how that's

[00:25:36] half the battle and the practical steps that companies can take before a crisis occurs but I think we've covered so much here so most people listening should have a good idea on how to be prepared but now I'm going to ask you to look into my virtual crystal ball and scare everyone here what emerging cyber threats do you think pose the greatest challenges for leaders and how can organisations evolve their crisis management strategies to stay ahead for when those inevitable threats become a reality yeah no great

[00:26:06] one so crystal ball time we can definitely talk about AI and how that will probably be used or if it already is to use more ever more sophisticated phishing campaigns that act as the entry point into your organisation and ransomware and supply chain compromise I still think they're the biggest things and it goes back to that hygiene factor of course that we need to get it really down to a T how are we going to react and respond

[00:26:36] whatever the entry point into the organisation and yes AI helps us as defenders but it also helps the bad guys for want of a better term the threat actors but I think we can get over fixated on that what we have to do is make sure that our teams are constantly ready it's hard people have very busy day jobs it can be relentless so how do we make sure that we're constantly prepared with different you know regardless of the cause of the disruption how do we react and respond

[00:27:06] I mean I think Neil we could get into the political situation in the world that's a whole other podcast for another day but if anything you know we need to be ready to adjust to very quickly changing circumstances and my final thing that if we look at any cyber incident you know call it the black swan whatever it would be we need to be able to respond as an organization to multiple shocks at the same time so one cyber attacker gets in there might be other cyber attackers or

[00:27:36] you know there's some other disruption in the world a natural disaster occurs at the same time and it's just the way the world sort of sometimes happens as you get certain multiple incidents at the same time and you've got limited resource and you've got conflicting priorities so my message here would be yes worry about AI worry about the basics ransomware supply chain inside a threat geopolitical situation of exchanging but it's about have I got an organization that has the agility

[00:28:06] to manage and respond and respond to multiple different shocks simultaneously and they could be caused by an attack against my own organization or across my supply chain wider ecosystem and that creates ripple effects cascading impacts on us so just need to think about all of those different challenges would be my advice for the year ahead and beyond well we've covered so much today and I cannot thank you enough for sharing your invaluable insights but I'm going to be a little greedy here I'm going to ask you to share

[00:28:36] one final gift with everyone listening and that is a book that you'd recommend that we can add to our Amazon wishlist it can be about anything at all but if there's something you'd like others to check out I'll add it to that list but what would you add and why I'm going with a random one here this thing of darkness by Harry Thompson it's a great book about Captain Robert Fitzroy it's got Darwin in it and it's all a true story I live here in Walthamstow Darwin part of it features around

[00:29:05] here so I would recommend that book it's an enjoyable novel where I certainly found it so it's got nothing to do with cyber security as well I will add I love it well I'll get that added to the Amazon wishlist and for people listening that have more than a few questions or they're just inspired by what you've talked about and like to find out more where would you like to point everyone listening yeah absolutely immersive labs.com would be where to go we have a website and happy to

[00:29:35] share more information there about how we help organisations prove and improve their cyber readiness and make sure that they are prepared for the inevitable disruption well there's so many big takeaways from our conversation today from what we can learn from previous major cases like the log 4j example the key components of a well structured design making framework and somewhat of a checklist for effective management both before during and even

[00:30:05] after a cyber crisis and having time to leave us with a great book too but more than anything just thank you for joining me today thanks again thank you I think my conversation with Dan today really brought home one undeniable truth cyber incidents will happen but how your leaders respond that will define how your organisation recovers and as Dan highlighted today effective crisis management is about much more than technical fixes

[00:30:34] it's about strategic thinking communication and trust and we learn that successful leaders in these moments will rely on well structured decision making frameworks rather than emotional response rather than an emotional response and an insurance that roles and responsibilities are immediately clear so teams can collaborate seamlessly ultimately it's not enough to just trust in technical fixes

[00:31:03] leaders need balance regulatory obligations stakeholder communications and the strategic perspective of the broader business impact so as we wrap up today I'll leave you with this is your organisation prepared not just technically but operationally and culturally for the next cyber crisis how well would your leaders perform when that pressure hits I'd love to hear your thoughts on this you've heard from me you've heard from Dan what does your cyber resilience

[00:31:33] look like to you let's keep this conversation going please email me techblogwriter at outlook.com get me on linkedin instagram and x at neil c hughes let me know your thoughts