From the jaws of disaster
"Waking Shark II", the UK financial services industry's latest "Desktop Cyber Exercise" (incident management/business continuity desktop walkthrough), successfully got all the main participants together in London to act out a coordinated response to a credible attack scenario.
The simulated three-day incident was compressed into a few hours, presumably using an accelerated clock - an interesting application of a technique more commonly used in product testing.
Among the reported findings and recommendations, I'm a bit surprised to see the suggestion that "In future exercises it may be beneficial to provide firms with more scenario detail in advance of the exercise and possibly allow part of the exercise to be played out internally before convening in an exercise to respond as a sector." Surely a key part of this kind of exercise is to simulate dealing with a major incident that blows up out of the blue? Giving participants a chance to prepare for a specific scenario may help them appear more coherent and coordinated in the exercise, but (in my opinion) seriously detracts from its value. The question is: do they want to look good or to be good?
Something else that sings out from the report is that there are lots of fingers in the pie. The financial sector is a significant part of the UKs economy, hence it is no surprise that exercises such as this generate so much government and regulatory interest and involvement. The sheer number of agencies or groups that have crept out of the woodwork, and even now are presumably still vying for their piece of the action, is symptomatic of the extent of regulatory oversight and associated red tape. I wonder if a future exercise might involve a scenario involving regulatory risk?
Nevertheless, I heartily recommend downloading, reading and using the report as a business continuity awareness exercise in your organization, regardless which particular industry segment you inhabit. Think and talk through the not insignificant matters raised in the report, such as how you will - in practice - contact, liaise and coordinate with various external parties in the event of a major incident, including (as one of the findings notes) the authorities if criminal acts are involved. Who would actually do that? What authority would they need? Who would they need to contact for approval, and how would it be done? Now is a good time to work through issues such as these.
And if you think you need pre-warning of the next disaster exercise scenario, I suggest having a full and frank discussion with senior management about business continuity, resilience and contingency. Because, as far as I know, cyber-crooks, foreign superpowers and tornadoes don't usually explicitly pre-warn their targets ...