CyberGamechangers in Resilience: Train as You Fight

In a rapidly evolving business landscape, adaptability has become a necessity for companies. Acknowledging this crucial aspect, iluminr created the Gamechangers in Resilience interview series, a tribute to influential leaders who have championed flexibility and resilience within their organizations, clients, and communities.

Showcasing voices from across the globe, this series shines a spotlight on these exceptional individuals, whose efforts have empowered their teams, ecosystems, and communities to flourish amidst adversity. By celebrating their accomplishments, iluminr honors the transformative impact of these leaders and their unwavering commitment to success, even in the face of challenges.

Lester Chng is a cybersecurity and crisis management professional and he has extensive experience in conducting exercises and establishing large-scale exercise programs in the financial services sector as well as the military.

He has participated as the lead representative in multinational security exercises and has also orchestrated enterprise-wide live exercises.

Lester is a former Naval Surface Warfare Officer of the Republic of Singapore Navy where he ran the Naval Wargaming & Simulation Centre. He has leveraged his experience in military wargaming to build cyber and crisis exercise programs.

Lester holds CISSP and PMP certifications and is an active contributor to the cybersecurity communities on LinkedIn.

Q: How did you get your start in risk, security, and resilience?

Lester: I started in risk, security, and resilience right off the bat as a 19-year-old signing up to serve in the Navy. Of course, it was only 20 years later that I realized this.

Upon reflection, serving in the military was indeed a baptism of fire in risk, security, and resilience. In the Navy, I was responsible for the training, discipline, operational excellence, and safety of the men and women under my charge. We operated heavy machinery and in the nature of the work was riskier than your regular 9-5. The Navy trained me to have a keen eye on risk to life and mission and to always have that as a key consideration in planning, training, and execution.

Security was another aspect which was ingrained in the military. The guarding of secrets, classification of information, segregation of networks, and the code/ciphers of communication equipment was my first foray into security.

Resilience is something close to my heart. In fact, the name of the ship which I served on as the Executive Officer was RSS Resilience, with her motto “We will Prevail.” Of course, the military place emphasis on personal resiliency. The training reflects it as we stress test mental and physical resilience daily. In addition to personal resilience, there is a critical focus on the resilience of systems. The military caters for multiple layers of redundancy as failure of operations would tip the scales between life and death.

Resilience is part of system design.
Resilience is part of training excellence.
Resilience is part of culture and mindset.

When you cannot afford to fail, you do all things necessary to ensure success.

 

 

Q: What do you consider to be the key pillars of success in Resilience?

Lester: Firstly, gaining mastery over the environment in which you operate in. This entails being adept in processes, understanding your people, and harnessing technology.

Secondly, understanding the limitations of these various elements. A process as robust as it is designed, may fail. A strong team has their limits and fluctuation in performance. And technology, our favorite, is never failproof. Knowing where the probably and impact of failure allow you to prioritize where you focus for the next pillar of success.

Third pillar of success is training and exercising.

To quote the warriors in 300, when faced with a barrage of arrows that blot out the sun, they proclaimed, “Then we will fight in the shade.”

Training and exercising cannot be allowed to become a tick the box task. When that has occurred in your organization, shake things up. That is your duty as a resilience/risk/security professional.

 

Q: What are some common challenges organizations face when it comes to building resilience against both cyber and physical risks?

Lester: Time and money. In relation to that, is how much resilience should one build?
Yes, we know that there are logical ways to derive tolerance and redundancy requirements. These are still additional cost that a profit driven organization must bear.

Old structures. Habits die hard and legacy practices often trump innovate new concepts. Especially when it does not generate additional revenue.

 

Q: What are some key considerations when designing and executing exercises to enhance cyber and physical risk resilience within an organization?

Lester:

A – Maturity of teams. The exercise should cater to the maturity level of the participating teams. If the exercise is too rudimentary, stakeholder engagement will be lost and future exercise would have lost credibility. If the exercise is too advanced, the response teams may be demoralized and larger effort is required to recover their operational efficiency.

B – Alignment with overall strategy progress. A well-designed exercise program matures together with overall security program development. It will serve as both a guiding light for aspirational standards and a reality check when milestones in the overall program are met.

 

 

Q: How do you ensure that these exercises effectively simulate real-world scenarios?

Lester: Firstly, use real incidents as a baseline for scenarios. There are too many incidents to choose from.

Secondly, understanding the objectives of the exercise and the expected response will allow you know control the narrative and flow of the exercise.

Thirdly, leverage “actors” within the organization to role-play response. This enhances the realism of the exercises.

Lastly, validate injects and expected response with key stakeholder/exercise owner. This will prevent in-exercise bickering and confusion.

 

Q: Cybersecurity threats are constantly evolving. How do you stay up-to-date with the latest trends and emerging risks in the cyber landscape?

Lester: If your enterprise has a Cyber Threat Intelligence structure, leverage their reporting and analysis.

Otherwise, leverage reporting of Open Source and vendor reports.

 

Q: Physical security is equally important in ensuring overall risk resilience. Could you share some insights on how organizations can effectively conduct physical security exercises?

Lester: Depending on the environment that your organization operates in, physical security threats vary widely from active shooter to natural disasters.

A physical security incident usually revolves around 3 key elements: Urgency of response, collaboration with local authorities, and communication.

Hence, an exercise needs to invoke these 3 aspects. The use of role-players will be able to create chaos and urgency. Pre-exercise coordination and inclusion of local authorities will enhance the experience. Forcing the participations to utilize alternate communication channels will also add to the realism of a real incident.

 

Q: What do exercises look like in a highly distributed workplace?

Lester: Exercises in highly distributed workplace look more realistic than in-person exercises in a closed room. The current common hybrid work arrangements of most organizations serve as an excellent model of exercising. In fact, it is probably one of the “positives” to come out of this remote work experience.

Train as you fight. Don’t pause for the coffee break and chat.

 

Q: How do you engage executives and boards in exercises and simulations?

Lester: Speak in business terms and keep it succinct.

Invest heavily in the preparation of the exercise with actual data and feasible recovery/mitigation plans that the response teams have detailed.

Ensure that the exercises are based on recent and relevant events.

Bonus points if you can demonstrate the progress and maturity of your overall security program via these exercises.

 

Q: What is the most effective way to ensure teams apply what they learned in simulation to a live event?

Lester: First is to have an open culture about the purpose and value of exercises. It should not be construed as an audit where failures are highlighted. Instead, the teams should understand that these potential gaps become known knowns instead of remaining as unknown.

Secondly, a robust remediation and tracking plan of actions items ensures that the lessons learned are incorporated. This provides a strong structure for long term improvement.

Thirdly, frequent exercises or short drills can keep teams sharp. It also allows other participants in the team to experience being the lead respondent.

 

Q: Scenario planning and exercising can sometimes be overlooked, particularly in this crisis-as-usual situation where there are no resources to spare. How do you coach organizations through this?

Lester: Be intentional about resourcing during a crisis. Take a deep look into actual resource allocation, task load, and cadence during a crisis. It is likely to be over-staffed out of the abundance of caution.

Surge resources at the front when information is scarce and impacts are unknown. As more information is acquired, assess periodically the resource load and cut back to release staff back to business as usual duties.

If your organization is indeed handling that many crises, then take that as actual real-life training. Just be wary that the rigor of most of these “crises” are often overblown and does not stress-test your teams in the necessary areas.

 

 

Q: Collaboration is essential in managing and responding to security incidents. How do you facilitate cross-functional collaboration and information sharing during security exercises?

Lester: Be upfront with the exercise objectives. If the exercise is to ensure that the security and technology teams collaborate, then state that clearly and orchestrate the exercise accordingly.

Gain stakeholder buy-in prior to the exercise. Speak to the respective stakeholders before an exercise and convince them on the value of the exercise. If you can include previous incidents where there was a deficiency in collaboration, highlight that and re-live that incident.

 

Q: What advice would you give to organizations looking to establish or enhance their exercise programs?

Lester: Threat actors will not wait for your program to mature before they attack.

Run your exercises early in your program, establish a regular cadence and track the progress of your response. This will convey a much more effective message of preparedness than a PowerPoint deck with many green dots.

 

Q: What is the leadership playbook you are writing for yourself in real-time?

Lester: It is too late to build resilience amid a crisis. You would be reacting instead of taking proactive steps to mitigate or advert risks.

Start building resilience mentally through reflection and stopping to acknowledge what you have achieved. Then employ your inner circle to shore up support and reinforce your value proposition. This will help when you start to question yourself.

Lastly be bold but also be vulnerable. Facing your weaknesses is the first time to addressing them.

Name it, then own it.