Planning to just assume Cyber Risk? – Don’t forget recovery planning

(A summary of an article by Paul Bergman and Bob Zukis)

There are a number of ways to manage risk. For some companies, a certain amount of risk will just be accepted as inevitable. Indeed, the Microsoft CISO has been quoted as saying, “It’s not IF but WHEN.”   If risk acceptance is in your plan, bouncing back quickly and effectively is key to ensure business continuity. 

There has been widespread recognition that some of these cybersecurity (cyber) events cannot be stopped and solely focusing on preventing cyber events from occurring is a flawed approach. … Organizations need to be prepared to resume normal operations in a secure and timely fashion when cyber events occur.  – NIST SP 800-184 

Develop Recovery Playbooks

A playbook is an action plan that documents an actionable set of steps an organization can follow to successfully recover from a cyber event. Playbooks can be focused on specific cyber attacks and are usually unique for every organization; tailored to fit strengths, people, and technologies available.  

A simple case of recovering from a cyber event might require an administrator re-deploying a system or restoring data from a backup, but in most cases a full recovery plan is more complex. In today’s world, a cyber incident could likely require legal, communication, regulatory, and human resource engagement.  A playbook specific for the type of incident would highlight not only recovery steps but also evaluation, prioritization, and a timeline for engagement of required resources.   

Playbooks should include

·         Requirements for service restoration

·         Response team

·         Recovery steps and procedures

·         Interim internal communications

·         External communication plan

·         Operational workarounds 

Playbooks Must Be Practiced and Dynamic

 Writing a cyber recovery playbook is the first step but as technologies change it can become outdated quickly in a business environment. It can also include assumptions or conditions that change over time.  Validating recovery capabilities ensures that the technologies, processes, and people involved in recovery efforts are ready and prepared to work together. As with any team, the amount of time spent preparing can be directly correlated to its effectiveness so the team should regularly practice in realistic simulated recovery scenarios.

 Exercises and tests should:

·         Remind participants of known risk scenarios

·         Confirm or refute assumptions that were made in planning

·         Validate recovery times and key metrics

·         Spotlight gaps and inefficiencies in the processes that should be addressed

·         Train personnel

Develop Recovery Metrics

The CISSP, perhaps the most common certification for cyber leadership, defines four key metrics associated with recovery from an event:

1.      Recovery Point Objective – RPO

The acceptable amount of data loss that the organization is willing to accept. In essence, this sets a “get us back to where we were [15 minutes] ago.”

2.      Recovery Time Objective – RTO

This is the maximum tolerable time the organization is able to endure to get critical processes back online.  “We need to start sending basic data within [30 minutes]”

3.      Work Recovery Time – WRT

The time target to get all systems back into normal operation

4.      Maximum Tolerable Downtime – MTD

The maximum time the organization can tolerate between the event and full recovery of operations without unrecoverable consequences


Much like a sports team, the ability to recover from a loss is key to a successful season. It can be argued that no company will have a perfect “cyber season” without any incidents to respond to.  The best companies will be those that have a recovery plan, practice it, and update it when necessary.

Lastly, if you find yourself blindsided by a cyber event and you have no in-house expertise, seek assistance from a trustworthy external party: the Department of Homeland Security(DHS), an Information Sharing and Analysis Organization (ISAO), or a commercial managed security services provider.


 Paul Bergman is vice president of Tracc Development, Inc., where he drives cybersecurity engagements for enterprise and government clients, such as Cisco Systems, Panasonic, US Navy, ROAM IT, and Kryptos Logic.

 Bob Zukis is Founder/CEO of Digital Directors Network, a boardroom advisor, advocate, and association focused exclusively on improving digital and cybersecurity oversight. He is a retired PwC advisory partner, and is a professor at the USC Marshall School of Business where he teaches the only executive education program in America on digital and cybersecurity governance. 

 You may also enjoy my previous article: Why Japan "hacking" citizen’s networks is not a bad thing