BSides London 2021 BSides London 2021
Join event to build your agenda.

Ready for (nearly) anything: preparing your organisation for a cyber incident

Track 1

I'm a security operations leader, with expertise across cyber incident response and remediation, threat intelligence, and threat detection. I currently lead the Cyber Defence team at the UK Government’s Cabinet Office, where I am responsible for defending a range of citizen-facing and internal services, and delivering threat intelligence, threat detection and incident response capabilities.

Before joining the Government I ran PwC’s Cyber Incident Management team. In this role I led the response to some of the UK's largest cyber security breaches and worked with major organisations to improve their security operations capabilities.

Every organisation has experienced, or will experience, a cyber security incident; depending on how you define the term, most have multiple every day. Increasingly punitive data protection regulation, coupled with increasing public awareness and scrutiny of organisations’ public responses means that it’s more important than ever to respond effectively. However, many security teams still struggle to do so.


 In this talk, I’ll cover the five key things that cyber security teams should do to prepare for an incident, which will improve the efficiency and effectiveness of their response. In turn, these will minimise the security, operational and financial risk to the wider organisation. I’ll go into detail on:


 (1) Processes that security teams should document and keep updated, to ensure everyone knows the key actions and decisions to be taken in the event of an incident.


 (2) How security teams can ensure they have skilled and experienced people, who can lead, coordinate and deliver the response to an incident.


 (3) Key logs that should be in place to inform the investigation into an incident, to maximise the likelihood that security teams understand what happened, when, and how.


 (4) Security technology that teams should have in place to deliver containment and eradication actions, which mitigate risk from the incident.


 (5) Management and coordination technology needed by security teams during incidents, to ensure they can communicate and collaborate, delegate and track response actions, and manage delivery.


This talk is designed for anyone working in, or with an interest in, security operations. Attendees will come away with a clear understanding of the steps they can take to directly and rapidly improve their own organisation’s readiness for a cyber security incident.