The Respond or Recover Pillar: Like Practicing Bleeding?

There is an old military pilot's saying that sky diving is like practicing bleeding. The point is that bleeding is unpleasant, often unavoidable and something that you can probably just figure out as you go along, so why worry about it before then?

Except that you absolutely should not just figure it out as you go along. You absolutely should know basic first aid and have an idea of how to stop bleeding should it occur.

Alas, this same attitude often makes a hard job harder: implementing your NIST CSF Respond Plan or Recover Plan in the face of an outage. And yes, this is another example of how behavioral science greatly improves cybersecurity.

Human beings avoid negative stimuli and seek out positive stimuli. We all know this, but many of us pretend that this isn't true or worse, that it isn't true of us or our team. But it is true and if you don't actively make this work for you it will absolutely work against you.

What does this have to do with cybersecurity, you ask? Plenty. Let's take an example that is universal and uncontroversial: back up and restore.

Everyone pays lips service to back up and restore, even the lunatics who claim to know exactly what is worth backing up and what is not. Everyone is into backing up. Backing up is safe and feels good. Most back up and restore systems are optimized to make backing up the easy and fast part. Hurray for backing up!

And that is where many people want the story to end: we have back ups and practicing restoring is like practicing bleeding. Restoring changes things. Restoring can wrong. Restoring takes a long time. Restoring something we all claim to be into but which we all tend to silently avoid.

Don't. Figuring out restoring as you go along is a time-honored way to make a bad situation much worse. Practice restoring. Why? You know why but we will list out the reasons so you can't look away.

• Confirms that your back ups are actually working
• Confirms that your back ups include all the data you think that they do
• Confirms that you know how to restore (I always struggle with the paths)
• Confirms that your environment (permissions, etc) will be restored

Yes, restoring to a production system just to confirm that you can is kind of nuts. We don't recommend that. We recommend having going through the exercise of starting with "bare metal," a completely wiped machine. Maybe off-site. With only the back up media. How long does it take? Do you have all the requisite skills and experience? Do you have a good way to confirm that all is well? Of course you do! You have Respond Plans and Recover Plans and this is a great time to validate those as well.

Here is another place where the behavioral science comes in: you need to get over your vague dread. You need to make this kind of validation a normal part of operations, a regular part of your program. If you don't have the resources to do this kind of thing then perhaps you need to consider whether or not you have the resources to actually follow you Respond Plans or your Recover Plans.

(Yes, confirming that your back ups work is part of cybersecurity. No, you can't just hope that the sys admins have this under control.)

Floss your teeth. Drink enough water, Get enough sleep. Get enough exercise. Eat your veggies. All boring, annoying advice that too few of us follow in our personal lives. Now you can add "practice restoring your back ups" to the list of advice in your professional life that you will either follow or, sooner or later, wish that you had. Doing things you don't want to do is hard. We can help. Ask us how.