22/02/2017 12:34 GMT | Updated 23/02/2018 05:12 GMT

How To Create A Cyber Security Playbook

What is a Cyber Security Playbook?

All organisations plan for fires, floods, or any other type of incident that impacts business resilience, why should cyber security be any different? The purpose of a Security Playbook is to provide all members of an organisation with a clear understanding of their responsibilities regarding cyber security - before, during and after a security incident.

A Security Playbook also defines the Crisis Communications Team (CCT) and establishes the contact liaison between the board and the rest of the organisation.

Once the team is defined and aware of their position, key action steps in the result of a cyber security incident also need to be put in place. These will include:

- Incident detection; notification, analysis and forensics

- Response actions; containment, remediation and restoration

- Communication; understand the lessons learned and manage media relations

There is no one-size fits all approach to Security Playbooks. Before defining the strategy right for your organisation, you first must have a clear understanding of what data is most important to protect.

Before an incident

Crisis Communications Team

The CCT needs to be put in place prior to an incident occurring. Various levels of personnel and departments need to be involved to ensure company-wide understanding and participation. The team should include:

- CEO/CTO: They are in-charge of dispersing the message throughout the organisation and communicating with the board

- IT department: Most likely to have the technical expertise, members of the IT department definitely need to be involved, however, it cannot be solely their responsibility

- Media/PR: Necessary to deal with the potential media coverage and disseminate the message agreed by the organisation

- Legal counsel: To provide legal insight into the impact and ensure the response is appropriate to meet compliance or regulatory requirements

- Others: The CEO/CTO must decide if other team members or departments need to be included in the CCT

Incident response plan

Following the establishment of the CCT, an incident response plan needs to be implemented, including a step by step plan of key actions to be taken in the wake of an incident. Practice drills and exercises also need to be run, so when an incident does occur, everyone is aware of the role they play and the impact can be minimised. Such exercises include; security awareness training - to educate employees on best practices, including those that have not had much to do with cyber security previously, journalist simulations - how to handle the media and convey a collective message is a crucial element of crisis mitigation, and red-team exercises - this is a vigorous attempt to gain access to your organisation's systems, in order to define any weaknesses.

When these weaknesses have been discovered, recovery plans need to be drawn up so everyone knows the necessary actions.

During an incident

React fast

As soon as an incident occurs, the incident response plan needs to be put into play. The goal is to handle the incident in a way that limits both damage and impact, both financially and to the reputation of the organisation. The CCT need to be communicating with the entire organisation, top-level down, so everyone's aware of what they need to be doing. The lessons and best practices learned from the drills and mitigation tactics from red team exercises need to be implemented.

The quicker and more effectively you react, the better the likelihood you have of reducing impact and cost to the organisation.

Agree messaging

In this day and age, it is difficult to keep news under wraps. Often news of a breach or incident will be disseminated by third parties; this is why having a clear plan and process is crucial.

Working with the media relations and legal teams, the board needs to decide the messaging around the incident. This also needs to include how much information and which bits of information regarding the incident will be disclosed. This then needs to be the only message that is communicated on behalf of the organisation. No facts should be communicated until they have been verified.

Nowadays, with the growing prevalence of social media, organisations also need to be aware of communication channels. As part of the CCT, members of the media relations team need to be assigned with controlling the social media output; what's coming in as well as going out.


Clear and constant communication amongst the CCT needs to be upheld throughout the remediation efforts. As soon as communication lines drop, people can lose track of what they need to be doing - and this is where mistakes are made.

After an incident

As the remediation element of the incident response reaches its final stages, damage control needs to begin. There will undoubtedly be consequences as a result of what's happened, whether the impact is financial or reputational, this needs to be planned for and addressed in the right way for each business.

So you've survived the incident, now it's time to review how successful the incident response strategy was. Weaknesses in the equipment, systems and procedures need to be addressed to determine where improvements need to be made.

If the incident has affected customers or, more specifically, their data, the board needs to work with the legal team to decide how this issue will be dealt with. The legal team needs to be included in this decision, as depending on the industry, there may be legislative requirements that need to be met.

Lastly, remain vigilant. Another incident, whatever the type, is going to occur. The most important thing is to ensure your organisation is as prepared as possible to handle it.

To find out how CNS Group can help your organisation in creating and implementing a focused Cyber Security Playbook, or Incident Response Plan, click here.