On Tuesday, I attended Information Security World in the UK, which is a great event and well attended with some thought provoking presentations. One of the guest speakers was part of the team that helped locate and rescue the youth football team in the Tham Luang caves. You may ask what this had to do with cybersecurity but, for me, it was both compelling and relevant.

Having a documented process and a plan is clearly needed when handling a cybersecurity incident. However, building a team from the various functions is also essential. When handling an incident, communications, press, command and control, as well as assurance are all essential. Being able to step away from the emotion of the event and calmly handle a different situation is a difficult skill and requires an experienced leader who understands the situation and the consequences of their actions.

The need for a “blue folder” – a folder that has the process and procedures documented and, more importantly, tested and re-tested is a clear lesson that we often fail to implement. A cybersecurity incident and how an organization responds demonstrates how well it has prepared and the priority it has put on handling sensitive information. Various compliance and regulations state the need for an incident response plan but from our Global Threat Intelligence Report along with our Risk:Value Report, not every organization has a plan and, even if it does, often doesn’t robustly test and re-test the plan.

The cave rescue was a success because the team recognized the risks and had a clear and documented process to follow. It tested the plan in a real-world scenario from start to finish and modified or adjusted the plan and took into account changing circumstances. Calm leadership and a dedicated specialized team was essential along with the “blue folder”.

While most cybersecurity incidents are not life threatening, we can all learn from the dedication of experts and the need to follow a process that is well tested.