Cyber Mayday and the Day After
Book written by Dan Lohrmann and Shamane Tan
Book review by Ben Smith
I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a solid read.
The strongest books deliver their wisdom not through dry recitations of facts and recommendations, but through stories. And this book is full of stories supporting its central focus on how to be resilient in the face of any business disruption.
It's clear that the authors, and the many other contributors who added their thoughts and experiences to the book, have seen more than one incident response that went awry. Having a plan that is both current, and recently exercised through a tabletop exercise, is a great goal. But, it is not unusual to see behaviors change during a real-world incident. An unanticipated outcome of one state's cyber-impacting power incident was that most staff left their workplace to check on their families before returning to work. Accounting for this situation was not part of their emergency response plan at that time, but you can be sure that after their after-action review it was inserted into the plan..
That after-action review is a critical step and should not be truncated or even ignored as the dust has settled after the incident is contained. There has never been an incident response plan which could not be improved by adding new learnings - but you have to take the time to walk through what worked and what did not work. Contemporaneous documentation is particularly important as part of this review process. A former senior officer is quoted saying "If it isn't written down, it didn't happen." The authors make it clear that you don’t have to start from scratch by providing a well-stocked section outlining many free cyber incident resources (and resources on other cyber topics)
One common thread through several of the book's chapters is a key non-technical challenge that frequently surfaces during high-pressure incidents: poor or non-existent relationships among the responding departments or entities. The authors quote the military truism "You don't exchange business cards during a crisis." And of course, relationships and trust are best built first between individuals, and then between the organizations they represent.
Many books in this vein invest good time talking about "best practices" gleaned through hard experience. What sets this book apart is the admission that successfully implementing any collection of best practices is not at all guaranteed. A pair of charts spanning five pages outlines reasons why best practices often fail to be implemented, whether due to excuses or outright apathy. And it's not just a list of these reasons, the charts also include questions to ask to determine if your organization is falling into one or more of these holes, accompanied by brief tips to help close the gap. Well done on this important point.
While this book may not rise to the very high bar for inclusion into the Cybersecurity Canon Hall of Fame, it does speak directly to several important functions. If you are a manager in any industry who is new to incident response responsibilities, you'll find the extended quotations and real-world short stories from experienced practitioners provide a great foundation for you and your team. Anyone who is looking for ideas or inspiration about available frameworks will find eight pages of pointers laid out clearly at the end of the book. Most importantly, if you are a current or aspiring cybersecurity leader working in state, provincial or local government, this book should absolutely have a place on your bookshelf.