This case study explores why Brentwood Council chose to enter into a long-term partnership with Cyber Management Alliance to conduct cyber crisis tabletop exercises. It also sheds light on why and how the Council decided to commit to continuously building its cybersecurity capabilities with CM-Alliance.
The three primary drivers for hiring an external trusted advisor included:
Brentwood Borough Council aimed to fulfil its regulatory requirement of conducting cyber awareness-building workshops within the organisation by having an experienced external facilitator conduct its Cyber Crisis Tabletop Workshops.
Tim Huggins first met Amar Singh (CEO of Cyber Management Alliance, cybersecurity expert & the facilitator of the tabletop exercises) at an NCSC-approved training conducted for tech members of all local governments of Essex County. The workshop aimed to inculcate expertise and knowledge about cyber incident planning and response and also create shared knowledge across the county so local authorities could support each other.
Tim was exceptionally impressed with how Amar ran that workshop, melding technical expertise with a human touch. This was amongst the foremost reasons why he decided to engage Cyber Management Alliance to build cybersecurity awareness within his organisation, a government mandate.
“I attended an NCSC-approved training conducted by Amar and when I assessed what I learnt from that workshop, I realised that Amar would be very useful for creating the kind of awareness I wanted to build within my organisation.”
–Tim Huggins, ICT Manager, Brentwood Borough Council
Scenario-building is extremely important to a successful cyber tabletop exercise. It makes the crisis workshop more realistic and having a scenario based on the organisation’s specific systems and operating frameworks makes the session far more relevant with better learning outcomes.
Tim Huggins and Amar Singh worked together to create a scenario that would truly drive home the point that cybersecurity is the responsibility of each individual.
The scenario, thus created, focussed on the pandemic era and what each staff member would do if everyone in the IT team was down with COVID-19 and a cyber-attack did occur.
While sounding simple and straightforward, as the scenario highlighted events that could actually take place at Brentwood, the staff members started realizing that the attitude that 'cyber is mainly the IT team’s responsibility', needed alteration.
Tim further elaborated on how this worked out for his organisation: “We made the scenario very real for Brentwood. There was a lot of healthy debate and discussions that helped everyone understand that cyber is actually everybody’s responsibility. It started to change the mindset and raised awareness of middle to senior management. The extended leadership team definitely understood that cyber has to be treated like a joint focus area.”
“I got complete support for one comprehensive policy for cyber incident response & business continuity. This was a reflection on the massive change in culture in our organisation.”
- Tim Huggins
Inspired by the positive response received for the tabletop exercises and the cultural change they have brought about, Tim Huggins, has opted to maintain a long term relationship with Cyber Management Alliance.
Tim has onboarded CM-Alliance as a “trusted friend/critical advisor” to Brentwood Council. This relationship entails the following:
“Apart from the workshops, we have started to build a continuing relationship with CM-Alliance so that we have an equation almost like “Phone a Friend” or a trusted advisor. We are engaged in an ongoing discussion about cyber wherein Amar will provide us technical and targeted advice for my tech teams. It’s great to know that there is someone I can reach out to for any discussion and trust their opinion. We do have an outsourced SOC and we have a great relationship with them. But I think it’s really important to have an independent consultant so that you know you can have an open conversation about the organisation’s infrastructure and security posture at any point."
- Tim Huggins