In this fifth of a six-part series, we will introduce the “Respond” function of the NIST-CSF.
What happens when something happens? Who you gonna call? Answering these questions is the essence of the four categories and 15 subcategories of this function. During and immediately after a disruptive event, be it a fairly routine outage or an extreme breach, there needs to be planning, communications, analysis, and mitigation of the problem. It is the sitrep stage of cybersecurity, where reports and analyses are conducted based on the evolving situation. Sometimes, this stage can feel chaotic, with uncertainty and ambiguity of the exact scale and scope of the situation, compounded by miscommunication and misinterpretation.
To counteract such problems, an integrated and iterative planning, testing, and training program should be instituted. While there are certainly costs associated with such programs – mostly in terms of employee time and attention – they are uniquely suited to become more and more efficient and effective over time. Why? Because IT and cybersecurity problems are a daily reality in modern organizations, and while it may sound counterintuitive, failures and errors are in fact hallmarks of so-called High-Reliability Organizations (HRT). In such organizations, mistakes are seen as opportunities to learn and improve, rather than as occasion to assign blame. The idea is to encourage individual responsibility without fear of retribution, thus making everyone a part of the response team.
We at novaturient specialize in performance and change management, and preparing companies for constructively dealing with the organizational side of both routine outages (high probability / low impact) and extreme events (low probability / high impact).