• Insights

How to Prepare for CISA’s ‘Shields Up’ Advisory

Tracy Kraft

3 min read

All Insights

Corporate leaders have an important role to play in ensuring that their organization adopts a heightened security posture. We’re sharing CISA’s ‘Shields Up’ advisory for all senior leaders, including CEOs, and the specific ways Kraft Kennedy can assist in meeting each requirement.

How to Prepare for CISA’s ‘Shields Up’ Advisory:

1. Empower Chief Information Security Officers (CISO): In nearly every organization, security improvements are weighed against cost and operational risks to the business. In this heightened threat environment, senior management should empower CISOs by including them in the decision-making process for risk to the company, and ensure that the entire organization understands that security investments are a top priority in the immediate term.

  • How to Accomplish: Engaging a p-CIO and p-CISO is an expedient way to meet this priority recommendation. Kraft Kennedy’s Partner CIO (p-CIO) and Partner CISO (p-CISO) provides this functionality.

2. Lower Reporting Thresholds: Every organization should have documented thresholds for reporting potential cyber incidents to senior management and to the U.S. government. In this heightened threat environment, these thresholds should be significantly lower than normal. Senior management should establish an expectation that any indications of malicious cyber activity, even if blocked by security controls, should be reported, as noted in the Shields-Up website, to CISA or the FBI. Lowering thresholds will ensure we are able to immediately identify an issue and help protect against further attack or victims.

  • How to Accomplish: Kraft Kennedy assists firms in the process of defining and documenting Security Management Processes at the organization level. Read more here.

3. Participate in a Test of Response Plans:  Cyber incident response plans should include not only your security and IT teams, but also senior business leadership and Board members. If you’ve not already done, senior management should participate in a tabletop exercise to ensure familiarity with how your organization will manage a major cyber incident, to not only your company but also companies within your supply chain.

  • How to Accomplish: Kraft Kennedy helps organizations with the creation of a custom Incident Response Plan, including identification and alignment with our preferred partners for each component of the baseline required by Cybersecurity Insurance Providers.
    • Incident Response Team
    • Public Relations Firm to manage Client and Media Communication
    • Legal Resources to handle negotiations with hackers
    • Incident Project Management
    • Forensic Teams

4. Focus on Continuity: Recognizing finite resources, investments in security and resilience should be focused on those systems supporting critical business functions. Senior management should ensure that such systems have been identified and that continuity tests have been conducted to ensure that critical business functions can remain available subsequent to a cyber intrusion.

  • How to Accomplish: Kraft Kennedy’s Management Consulting team will create your custom business continuity response plan and an incident response plan. Update and test the plans on a bi-annual basis to ensure your readiness to respond to cyber incidents or other business disruptions. A well-prepared team can limit the damage caused cyberattacks.
    • Learn more about policy creation and management services here.

5. Plan for the Worst: While the U.S. government does not have credible information regarding specific threats to the U.S. homeland, organizations should plan for a worst-case scenario. Senior management should ensure that exigent measures can be taken to protect your organization’s most critical assets in case of an intrusion, including disconnecting high-impact parts of the network if necessary.

  • How to Accomplish: Execute your Business Continuity Plan. Your organization should know how to “pull the plug” to protect their assets. We can help.

Ready to get started?

Even with specific the steps outlined above, tackling the latest security requirements is a significant and constant effort. For organizations looking for a quick start, consider putting a protection plan in place as an immediate security measure. Contact the Kraft Kennedy team for assistance.