Posts

Tabletop War Games

This week I participated in a simulated cybersecurity incident exercise—a tabletop War Game—with Austin’s chapter of the Information Systems Security Association. Participants in the War Game each represented parts of a business responding to a cyber incident, including the C-suite, Legal, Engineering, Public Relations, and Customer Service (I played the General Counsel). We were given the facts of the incident real-time as they “happened” and we responded real-time with recommended actions and advice. The audience played the role of the general public, peppering us with customer complaints and investor questions to complicate our deliberations and actions.
This rapid-fire event was a great test of the panel’s problem-solving skills, ability to work effectively with others under pressure, and expertise. And it highlighted for me some simple takeaways applicable to any person—whether legal, technical, or otherwise—who may play a part in a cybersecurity incident.

1. Have a plan. Going through a cyber incident is living in a pressure cooker—the heat is on and everyone is testy. In the heat of an incident, you need to devote brainpower to stopping the attack, preventing damage, and recovering your business. You shouldn’t spend precious time defining roles and responsibilities, navigating political issues in your business, or deciding whose budget should cover the experts you engage. In our simulated event, the participants worked very well together due in part to their positive personalities, but also to the fact that we were provided a written plan as part of our scenario. Without the written plan, I bet we would have debated many more issues than we did, which wastes time you don’t have during a live incident. Having a defined plan created outside the heat of the moment and that addresses as many “what ifs” as possible allows a team to work better together in crisis, leading to a better overall result.

2. Know your plan and policies. Although many companies have written incident response plans, I think once completed there is a tendency to put the plan on a shelf and rarely revisit. It is critical not only to test your plan and update it regularly but for the personnel who will be called into action by the plan to be familiar with the plan. Creating an operational response plan, checklists, phone trees, or other quick reference guides can also ensure your plan is easy to understand and execute during an emergency.

3. Know your business. One issue that came into sharp focus for me during this simulation was the value of knowing your business. Many people, especially at larger companies, are hyper-focused on their area of expertise and lose sight of, or just aren’t familiar with, the big picture of the business. In our simulation, the participants only learned about our company and product lines at the beginning of the exercise, so we spent a lot of time agreeing on actions, only to have to backtrack because we hadn’t considered the impact to all of the product lines and different customer types. Your customer base—whether consumers, businesses, or government—and products impacts the way you respond to an incident. You should familiarize yourself with all of these things in advance of an incident. It is also important to have a high-level understanding of your IT infrastructure. In a critical situation where time is of the essence, people are prone to clutch the life raft without inspecting it for holes, adopting a remedial measure that quickly solves one problem without realizing the unintended consequences that could harm your business. Knowing your business ahead of time will help you spot these issues and land more quickly on a solution that won’t cause additional harm.

While having a written plan is the first step to being ready for a cyber incident, these additional practical considerations are also important to cyber incident readiness. The War Game simulation was a fantastic exercise to validate our beliefs about cyber readiness and to see them play out live.

Sincerely,

 

The Insider (aka: Renee Meisel)

Work Smarter, Not Harder

Work smarter, not harder. Many of us aspire to this seeming utopia where machines do the most painfully boring parts of our job, while we do only what brings the most glory, accolades, and excitement. Working smarter is a personal passion of mine because, while I love my work, I also want to maximize time spent with the other love of my life: my family and traveling the world with them.
Working smart is the lifeblood of Legal Operations. For all the metrics, meetings, and measurement, Legal Operations professionals just want to ensure the value of resources allocated to a task is equal to the value of the task at hand. They drive us toward this smarter way of working with changes in people, process, and technology. As both a lawyer and an operations professional, I’d like to share some lessons I’ve learned over the years in trying to work smarter personally, as well as transforming the way others work.

1. Technology ≠ Complete Solution. Technology companies are fantastic at marketing, listening intently to your problems, then showing you shiny new tools that will fix your most critical problems. Before buying a new tool to solve a problem, ask yourself some questions. Do you know the number of people you will need to keep the tool running, enter data, and ensure the data is correct? How will you drive adoption? How will you adapt existing processes to the technology? Do you even have a process underlying the technology? If you have not asked yourself these questions, you may be buying a tool that goes directly onto a shelf to gather dust.

2. Documenting Your Work Processes = $ Savings. If you examine your day-to-day work, it can probably be broken down into steps or tasks. Once you have broken your work into these component parts, you will often find that parts of your job—and often the ones you hate the most—could be delegated to someone else. Imagine if, instead of hiring your clone to handle your expanding workload, you could hire a more junior attorney or paralegal instead and give them the right tasks. And, even better, what if you could memorialize your instructions to this junior resource into a playbook so you didn’t have to spend as much time managing them day-to-day. I have used this step-by-step analysis to help clients achieve a smarter work balance, always to their great delight.

3. Delegation = Career Growth. Delegation is difficult for most of us, but in these times of “do more with less” it’s the only way to accomplish everything you need reasonably. In addition to saving time, it can help you grow your career. If you give the simplest tasks on your docket to the right resource, that frees time for you to do more challenging work, network in your company, read articles and grow intellectually. And learning to be the supervisor and mentor instead of the do-er expands your leadership skills, making you more viable for management positions. Delegation is key to advancing to executive levels in your career. Legal Operations professionals often fight an uphill battle within corporate legal departments, meeting resistance from lawyers who are anxious about changing the way they work. At base, Legal Operations professionals are there to empower attorneys, to get us closer to that utopia of only performing the tasks within our skillset that bring us the most joy and accolades.

Sincerely,

 

The Insider (aka: Renee Meisel)