Vince Lombardi famously said, “Practice does not make perfect. Only perfect practice makes perfect.” That is, perfection may be unattainable by mortals, but without diligent practice you’ll probably stay lousy at what you’re trying to do. Or you’ll crack under pressure.
That’s the theory, of course, behind simulations — practice drills made as realistic as possible so that when people face real life situations, they’ll stand a better chance of doing the right thing. You pretty much never get near the controls of a real jet fighter without some serious time in a simulator. So realistic are the commercial-grade machines that pilots practicing difficult and scary maneuvers stumble out of them drenched in sweat.
Cybersecurity has also benefited from practice in simulated situations. Several companies sponsor cyber competitions for people as young as middle school. The armed services conduct red team-blue team drills and so forth.
Deloitte staged a simulation of another sort for the benefit of reporters this week. Under the direction of Ed Powers, a managing partner and leader of the company’s cyber risk services, it assembled a team of its own experts plus a couple of outsiders from industry and government. These included Greg Touhill, the Homeland Security’s deputy assistant secretary for the Office of Cybersecurity. Participants played various management roles in a simulated cyber attack on a large organization. In this case a fictional, publicly traded consumer products manufacturer had vital data posted to a public website my malicious hackers. The simulated roles consisted of chief “X” officers of these functions: marketing, risk, legal, finance, information, information security and operating. Powers played the CEO, Touhill the CIO.
The point made was that not only technical skill can improve with simulation. So can management of a crisis. For an hour, the CxOs sat around a table, discussing what to do next as various surprise inputs were presented to them. For example, suppliers and trading partners threatening to sue. Sales and stock prices plummeting because of major losses of personally identifiable information. A call to appear before a Senate committee.
Artificial as the event was, the players discussed the situation earnestly, bringing their real-world knowledge to questions such as how to assuage customers and suppliers, the legal and financial ramifications of the breach, how to identify the hackers, how to handle the relationships with various government agencies including Homeland Security, FBI, Federal Trade Commission and the Securities and Exchange Commission. Also how to deal with the press and publicity.
After the exercise was over, a mythical year had passed. The group then conducted what Deloitte calls a “hotwash” — a self debrief and critique. Participants agreed they should have taken a strategic, long-term view of the problem sooner rather than being overly tactical initially. They discovered that certain decisions made in the first days after the attack limited the company’s options later on.
Powers said afterwards that companies and government agencies should conduct these kinds of simulations regularly, perhaps quarterly, because they get better at it as they go. He said the best insurance against cyber attack damage is development of resilience. That means not merely surviving, but coming back stronger.
We know the demonstration was anything but academic, given the sequence of severe cyber attacks that have plastered both industry and government over the past two years.