Getting Started: Finding Your Place as an Emergency Manager in Cybersecurity

A successful cyber attack can carry significant costs for the affected organization. On average, it takes 50 days to resolve a malicious insider attack and 23 days to resolve a ransomware attack. Though the cost of an attack depends on the organization size, type of attack, and scope of damage, the combined annual cost is expected to rise to $11.5 billion by 2019. As the world grows more interconnected, the risk of cyber attacks grows, too.The prevalence of these attacks and attacks on public sector entities and the risk of physical destruction of critical infrastructure create an environment in which emergency managers need to understand how to support cyber incident response.

What Can Emergency Managers Do about Cyber Attacks?

Evidenced by the new Urban Area Security Initiatives (UASI) funding requirements, emergency managers have a key role to play in cybersecurity—without being information technology (IT) specialists. In the same way that emergency managers collaborate with key partners and subject matter experts to plan for hurricanes, fuel shortages, civil disturbances, or active threat events, emergency managers can also coordinate with IT specialists before, during, and after a cyber attack.

For instance, before an incident, emergency management and IT specialists can collaboratively establish, test, revise, and practice plans to manage a cyber incident. During an incident, emergency management might establish a regular briefing schedule; communicate and prioritize response actions; and de-conflict any response issues across disciplines. After a cyber-incident, emergency management might oversee recovery of physical assets and implement after-action reporting (AAR).

The role and extent of involvement of emergency management in cyber incident response should be determined by the organizational structure and protocols outlined in an incident response plan. But emergency managers already have skills that can support cyber incident preparedness, response, and recovery:

• Core capabilities in planning, operational coordination, and operational communications;
• Understanding of and familiarity with legal rules and requirements;
• Familiarity with a broad range of stakeholders within the jurisdiction;
• Understanding of training and exercise design practices;
• Understanding of AAR processes; and
• Strategic creation and implementation of a risk management (i.e., preparedness) program.

Where Do I Start?

The Hagerty cyber team has a few recommendations to help emergency managers navigate new territory and start building a nexus approach to cybersecurity in your jurisdiction.

Don’t worry about becoming an expert—focus on finding them. Accepting that we, as emergency managers, are not cybersecurity experts is the first step in building a collaborative team. Emergency managers are connectors—linking and leveraging partners across the community; rarely does our toolkit have all of the skills necessary to develop a comprehensive cybersecurity program. To begin, Hagerty recommends working with coworkers or other departments or agencies to identify suitable liaisons in the IT world that can help size up and create a strategic vision for the cybersecurity program. Frequently, these individuals are Chief Information Officers (CIOs) or Chief Information Security Officers (CISOs) who are responsible for the strategic oversight and implementation of programs and policies to secure information assets and technologies. Consider formalizing this group in future iterations of plans or policies as a Cyber Disruption Team (CDT) (or equivalent, e.g., Cyber Response Team).

Collaboratively size up the existing cybersecurity program. Using new (or rekindled) connections in the IT realm, set aside time with cybersecurity stakeholders to assess the current state of the cybersecurity program. The purpose of this discussion is to determine where the program could use improvement and how emergency management can support that growth. Can emergency management help with writing or updating emergency response plans? Are existing plans sufficient to describe how the entities will collaborate in the event that a cyber incident manifests as physical threats to life safety or wellbeing? If cyber incident response protocols already exist, then the next step is to use planning to create and document a collaborative response and recovery process. Do cybersecurity protocols need to be practiced or vetted through training and exercises? Can emergency management provide guidance and co-lead a training and exercise program?

Identify and document a path forward and set a follow-up date. The outcomes of this discussion should be documented in some type of strategy document that identifies the action to be taken, the responsible party, and a due date or other timeline for follow-up and future engagement. Some first steps might include: updating or revising cyber incident response protocols, formalizing a CDT and establishing roles and responsibilities for the group, creating a training and exercise program outline and high-level objectives, or organizing follow-up strategic visioning sessions to further discuss and generate buy-in for a collaborative cybersecurity program.

To learn more about how Hagerty can help your organization visit cyberthreatready.com to learn about Hagerty’s approach to cybersecurity program management. If you are working to build a more collaborative cybersecurity program and need assistance or want to share your story with us, please contact us online through social media or at cyberthreatready.com!

Jena Lopez is an Associate with Hagerty who primarily supports the Active Threat Portfolio. A graduate of Rice University with a degree in economics, she works in Houston, Texas. In her spare time, Jena crochets blankets (often with “help” from her two Egyptian cats), reads multiple newspaper publications, and spends too much time exploring Houston’s excellent coffeeshop scene. 

Kayla Slater is a Managing Associate with Hagerty who primarily supports pre-disaster recovery planning and cybersecurity preparedness working in Washington, D.C. A graduate of Georgetown University’s Emergency and Disaster Management Program, Kayla enjoys helping clients develop innovative and practical plans and tools to support response and recovery. In her spare time, she bakes, reads, and bikes to donut shops.