What does Incident Response have in common with driving a Warship?

This may seem like an odd question, but hear me out.

Having spent the first six years of my career after university driving warships, and the last 14 years of my career managing cyber and forensic incidents, I can tell you that we can definitely learn a thing of two from the way the Navy goes about it.

1. You need a really good skill base

In the military, you don’t get to go anywhere near a warship until you pass not only basic training, but a steep learning pathway of intense subject matter specific training. There is a lot at risk involved, and a warship is expensive, so the stakes are high!

Do we take the training of our cyber teams as seriously? Do we take their job of protecting one of our most valuable assets, i.e. data, as seriously? I think we should accept the challenge that many organisations do not, and perhaps don’t invest in the right sort of training that stretches our teams and makes them better. I don’t think a cruisy conference in Vegas is always the right option.

2. You need a really good plan, which can’t just be in your head

Before a warship even thinks about leaving a port, the planning is meticulous. Where are we going, how long will it take, how much fuel will we need, where will we get supplies on the way, what are the weather conditions we can expect, what are the risks… the list goes on. This is called a “passage plan” and it is presented to the Commanding Officer of the ship on multiple occasions before that ship goes anywhere, and then it is communicated to Naval Command. Think of these as the CEO and the Board.

How many organisations really have a plan for resolving incidents as part of their cyber journey that has been presented, tested and critiqued at the highest levels? I have seen all too many times, organisations ‘wing it’ during situations that were easy to plan for. Is this good enough?

3. There is no such thing as too much training, and not just conducted at convenient times

Ultimately, the job of a warship is to perform at its peak as a well drilled team on operations. When you are not on operations, you are either conducting maintenance or investing in training. Operations can be things like peacekeeping or humanitarian aid, patrol of our borders, or contribution to wartime operations. When you are not on Ops, you do a lot of training! Having served on a number of operations I can tell you that when you are in that moment, you default to your training to guide you through the really intense times. The more regular and more realistic the training, the better you will perform in a crisis.

Having also managed hundreds of cyber and forensic incidents, I think we can learn a lot from that military experience. I often challenge most incident response and crisis management teams about how much they train, how realistic that training is and how well documented their objectives are. There will always be surprises in every incident, and little aspects that are incident specific that will be hard to plan for and that will need to be overcome at the time. However, for the most part, the process that a team will go through to detect and analyse, contain, eradicate and recover from incidents will have a core element of people, tasks and timeframes.

People will always need to do things, by a certain time, in a certain way and be able to communicate (upwards, downwards, inwards and outwards) about what they have found and what they are doing next. This Response & Recovery core needs to be in a plan or playbook in a usable form, it needs to be uncomplicated, it needs to be rehearsed regularly so that it can be used in a time of crisis without learning it for the first time. It also needs to adapt if people are not around or things happen in the middle of the night on a weekend. Don’t always train for the easy, train for the hard.

4. You should always learn and adapt

In the military, we never wasted an opportunity to learn. One of the most common and valuable mechanisms to achieve that is the ‘debrief’. This is an open conversation conducted right after an exercise or event that captures the good, the bad and the ugly when it is fresh in minds. This culminates in a list of observations, take away actions and responsibilities for making change or conducting more training to deal with shortfalls. Personalities need to be set aside to get the best learning from the moment.

As an incident responder I can tell you that I get called onto repeat incidents regularly, so many that could have been avoided if more time was afforded to the ‘debrief’, and if more accountability was demanded for post incident actions. Never waste a good crisis!