Event Recording
Richard Bell - Developing a Strategy for Managing Incidents
For many years now, the management of incidents has been a challenging, dynamic and somewhat accidental in response. Today, whatever the threat we face, there is zero margin for errors if affected and excuses are certainly a thing of the past. Planning for the worst-case scenario is now commonplace, yet is it tested? and who is involved? Developing the right strategy for your organisation and its operations is key to continued success and minimising the impact of any incident. This presentation intends to encourage the consideration of different approaches, thinking, and conversations upon your return to your organisation.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
I'm gonna try and do something different. I'm not gonna talk about technology. So all those that want to continue talking about technology, now's your time to leave. I want to talk about developing a strategy that is inevitable. If you suffer an incident and that's one of the things that's always overlooked by security professionals, and that is managing the media or having some level of expectation as to what that media looks like.
So very briefly, a little bit about me. I was the CSO for transport for London. Transport for London is the public authority. That's responsible for all aspects of transport within London, including walking, cycling, cable, car, trains, buses, and all of that. And I've been on a similar journey to what Peter was just discussing around, trying to get the it and the OT space to work in collaboration, which is a lot harder than, than, than is portrayed. Cuz there's two completely different cultures, but we can talk about that in a little while as I'm on a panel a little bit later. So if you've got any questions, my background was police counter terror. So naturally becoming of the CSO and being responsible for cyber was my natural next step, cuz actually it all goes around cyber crime, organized crime, counter terror, all in the same space. So when considering an incident,
Each of our organizations have got a different message that they want to portray. They've got a different way of responding and each media within the globe, particularly in London as well, there's several different opinions around what that media environment looks like. Some are very anti, some are quite aggressive and some are quite liberal. So why is it important for our organization to understand and, and own the dynamics of that media, where we can see how well Donald Trump's doing now, if you are the most powerful person in the world, how do you control that? He can say whatever he likes and then the consequences of that. So put yourself in that position or put your managing director or chief executive in that position. And quite quickly shares can start to plum it.
A natural thing for us to have when we are in security is to have that the media generally become the antichrist. We don't like to engage with them because we fear that we are gonna be portrayed in a manner that is unfitting of the company and our and ourselves. So I'm gonna tell you, I'm gonna show you bad. It can be and how good it can be, but trying to develop that strategy to promote your organization, even when everything else is going wrong. When those millions of data sets have gone missing that breach is there. Everybody's got an opinion on it. The outcome is still the same. You have to engage with your clients, your contractors, more importantly, your customers and the media. And there are great examples and I'm not gonna pick on anybody, but there are great examples of how, what good looks like and what bad looks like. And we could say sort of talk, talk MBA more recently, you have a specific window of getting it right? And that time will make or break you within that incident. And again, without going into the specifics around that company, but talk talks widely known as the best example that we say, what bad looks like on Monday. It was one message by Friday, there'd already been five different messages. That's not space that you want to be in.
So now we go on the turn. Sorry. Can I just have a quick show of hands just to show that you're awake? How easy?
Alright,
Well I'll ask it this way. Who likes to say, sorry, there should be a lot more men's hands up in the air should be used to it by now. How easy is it? It's not very easy cuz you know, you're still right
When men
We're never wrong. And even my wife who I apologize to all the time knows really that I think I'm right, but I find it really difficult to say the word, sorry, and mean it. I'm gonna show you and this is acting, but it's not acting. This did not happen. Please do not tweet that TFL have had an incident and no one's told anybody about it. Please, please, please. I did this once before and I had to stop the message. Little bit of a disclaimer, shame everyone. Know what shame is comes just after sorry or just before. Probably not in a dictionary, just in the, in the emotion fortunately or unfortunately for me, my mother said to me at a very early age, you suffer from no shame. You have no shame,
Young men
And I've continued that mantra. So please don't feel bad for me in, in this next bit. I have no shame. I've made my peace with it, but it is a car crash waiting to happen. You just never know when the media are gonna turn up.
Richard, be bridges in BBC. London. Contactless has been down since 7:00 AM this morning, right? That's almost two hours where people haven't been able to use it. Yes,
We're investigating the matter we haven't got the cause of it at the moment. There's many different issues that can come of any failure. We've got tune onto it, a present and hopefully I'll have some proper comment for you in the next hour or so.
It's embarrassing. Walk
Away. Now, walk away, just walk
Away. There's cues of people at Oxford circus in Victoria and many people think it's a safety issue now.
Well there's, there's no indication that there's anything safety critical. I mean the service is still running. Obviously it will have an impact on allowing our customers to be able to use the tool for the revenue purposes, but I'm sure we'll be able to catch up with all those customers that were allowed to
Stop talking, just stop talking, contact
List cards.
They should be able to use. Most, most of the system will be allowed to let them have free access.
And now I really dunno what I'm talking about money then
With anything like this, there's, there's every likelihood that we'll lose an amount of revenue, but it's important
That we keep in my mind, I'm saying I want to die
Two
Hours of no contact list. So what kind of revenue are you talking about? I mean, this is obviously taxpayers revenue, isn't it?
Well it's taxpayers revenue in the sense that they obviously pay to
Now, I'm just making it up.
And any of that revenue that we get is Repens and back into reinvest,
Can't even speak revenue,
An aspect of loss. I don't think it'll be inconsiderable
Trying to look for an exit. Can't find one, but
We're, we're looking to investigate that and try and come back with a full comment on all aspects
Of walk away.
Being told that their banks, some people told by their banks that they have been charged when they've swiped their contact list cards. Even though they supposedly can't use them. So how quickly will they get their money back
At this stage? Just too early to say, I mean, obviously we're in contact with our bank partners. We've been in communication processor, our credit cards. There's no, there's no reason
To, well you just shut up, man. Customers
Will be out pocket for this type of
Instance. You don't know when contacts will be up and running and you don't know when people will get their money back. I'm
Hoping to come back to an hour, lot, need to go
Brief as to what happened within the incident. But currently as, as I last got off the phone, the system's still down.
So we are two minutes. Now we are
Allowing our customers
To just go we're about two minutes and there are best bits coming
Related to this. And we'll come back and, and give you a comment about
Hourly.
Who's responsible for making sure contact list works.
Don't say, don't say it. Most
People that were involved in it, clearly it's FLS responsibility to ensure that this happens. We have got partners that were involved. And again, we we're sitting around the table as we speak to ensure that everyone knows what's going on, but it's TSS responsibility. And one that we, we don't shake away from
Who's head of contactless.
No, no, I have to stop mainly because you'll Google the man and he's still in charge. I threw my boss right under those buses. And then that's a well respected channel four reporter, which is a, a fairly liberal station TV station in, in the UK. She's very good. And she then just started to, you know, destroy my career within the next minute and a half afterwards. But I just thought, I'd give you a flavor of what bad looks like. It doesn't get any better. Doesn't get any better. So, I mean, I've obviously shown myself, I've beared soul. I feel relatively naked up here. Gimme the feedback. One thing from this side that I could have done differently. Go on. Be brave. Go on. Don't worry. Just anything I could have stayed at home could have stayed at home, but just not today. Anything else have a preprepared response? Yes. Yep. What about this side? They're winning too new at the moment. Yes, sir. Have a
Brief response. Ah,
How long is brief? Perfect. Perfect. You know why? Cause that goes on for about four and a half minutes.
It's
A long time. And they were, they would just use 10 seconds of that. And that 10 seconds of that would be my boss's name. Me and her saying, so you don't know what's going on. You don't know where the customers are gonna go. You don't, you don't, you don't me sitting again. Yeah. Yeah. So it's really important that we do prepare some form of brief. However short that brief is, but more importantly, can I please beg all of our security professionals stay behind the other screen? Don't get in front of that screen. We are not the right people. You may look fantastic. You may sound gorgeous, but at some stage you will engage in conversation beyond their capability. And we will start saying too much. Just my opinion. I didn't actually say anything cuz I didn't know what I was talking about. You could always try that tack, but then that might be a bit, bit difficult. What was the one word that was missing from that we're investing the matter didn't say. Sorry. Did I didn't say sorry.
Yeah, yeah. I'm really sorry. Don't mean it I'm really sorry that you are having difficulties trying to get from one part of London to the next, just the normal day in London actually. But so even when you know that it's coming, so I didn't know that person was coming. In fact that was a training exercise. And I'll tell you what, what that training exercise looked like. But I wasn't expecting it. I was expecting to go train him and about 10 o'clock after the Crosson and the coffee and introductions and everyone having a group hug, then we might get into it. I come up in the lift and I walk straight into that. What you see is me looking for exits. It's an unusual place. I didn't know where to go. And then I wasn't gonna be rude and sort of go, thank you. Thank you. Thank you. And try and leave. And what's the one thing that I didn't do, which I thought I would do. Linda. There's no comment, no comments. Not gonna work. No comment. You really dunno. What's going on. You have no comment about what is going on. Can you speak to our press officer?
My name's Richard bell. I work for transport for London and I'm the head of cybersecurity, operations and investigations.
Thank you very much. Are we ready to go? Who is responsible for this fiasco and will they face serious consequences?
That's a good question. But firstly, I'd like to start by apologizing to our customers that have been affected by this. What looks like a data breach. We, we continue to work with everyone involved to ensure that we, we fix this problem. We've processed all of the repayments that we needed to to customers. If there are any customers that haven't been affected, that haven't as yet received that refund, they should reach out to us and we'll maximize that for them. And we continue to investigate to identify the true cause of this.
Good. Now that was probably about 45 seconds or more. So I want you to CU in half and be really focused about what you want to say. Okay? There's too many messages going on. You want one message. So what is the one thing you want to say? You apologize. And then what's the one thing you want to say.
We're continuing to
Investigate. We're investigating it. Yeah. Good. Okay. So you want about 20 seconds? About half that length. You wanna stop the movement? Say still, okay. Who is responsible for this? And will they face the consequences?
Yes they will. Once we identify who's responsible, but it's important to say that I, I want to apologize.
Continue to apologize for any customers that have been just can't say it.
I'm gonna stop you. Okay. I'm just gonna fix your now. I want you to start with the apology. Yes. And then yes. And then I want you to talk about the other stuff. Okay. So who's responsible for this fiasco and will they face the consequences?
Well, firstly, T Phillip, sorry, our customers were affected by this. I not mean now. Not I'm not sorry. Still my organization, something
And a member of your family, you had to apologize. Would you, would you use that intonation?
I don't mind saying I want to punch you in our head by this
First of all. We're sorry. Doesn't sound right. Yeah. First of all, we're sorry. Whereas we're so sorry about what happened. First of all, we'd like to really apologize. And the, the, the key is your intonation is going up. So first of all, we're sorry, instead of we're sorry, that's the difference. That's why it doesn't feel right? Cause it sounds like this. I'm just, this is the first thing I'm gonna say. And what's the next thing on my list. Yeah. Okay. So really mean the apology cuz you are sorry. Yeah. Okay. So first of all, so we're sorry about any customers who've been affected by this. And then the next thing is that you want to raise the fact that we are investigating and I've asked you about a member of staff. And are you gonna say they've been suspended,
Look to the press officer.
Yeah. Good. Yes. So breathing in whom is responsible for this and will they face the consequences?
Well, firstly, I'd just like to apologize to our customers. We continue to investigate the, the incident that happened. We still dunno much. It's true that we've suspended a member of staff pending further investigation and what that outcome looks like. But it's important for our customers to know that we're working extremely, you know, hard to, to get this fixed. My name's Richard. Right? So you've seen that bit. That's just an edit version back together. You see how difficult it is. I'm sorry. Sorry. That's what I use when I go home. I'm sorry. Sorry darling. Sorry. Last couple of minutes. Considerations when trying to apply a different approach. And again, Peter touched upon this around getting involved in collaborating with the, the rest of the organization, involve everybody with an interest in the incident. Not those people that would like to be involved. Those people that need to be involved exercise one way when you're doing the desktop exercises, sometimes we do it around the table.
Don't we literally desktop exercise. Sometimes we do it a bit more real life. Can I suggest filming it? If you film it, you put that pressure on you. Cuz that's the only difference that I had. There was pressure, regular liaison with your media and press officer ensure that you start reviewing what other people are doing well. And what they're doing out in the world, never volunteer to do media that's me. I know my job is not that side of the camera dress up to dress down cuz you never know when you're gonna get door stopped. And please try to practice saying sorry, if not to me then to yourself. Thank you very much.
So very briefly, a little bit about me. I was the CSO for transport for London. Transport for London is the public authority. That's responsible for all aspects of transport within London, including walking, cycling, cable, car, trains, buses, and all of that. And I've been on a similar journey to what Peter was just discussing around, trying to get the it and the OT space to work in collaboration, which is a lot harder than, than, than is portrayed. Cuz there's two completely different cultures, but we can talk about that in a little while as I'm on a panel a little bit later. So if you've got any questions, my background was police counter terror. So naturally becoming of the CSO and being responsible for cyber was my natural next step, cuz actually it all goes around cyber crime, organized crime, counter terror, all in the same space. So when considering an incident,
Each of our organizations have got a different message that they want to portray. They've got a different way of responding and each media within the globe, particularly in London as well, there's several different opinions around what that media environment looks like. Some are very anti, some are quite aggressive and some are quite liberal. So why is it important for our organization to understand and, and own the dynamics of that media, where we can see how well Donald Trump's doing now, if you are the most powerful person in the world, how do you control that? He can say whatever he likes and then the consequences of that. So put yourself in that position or put your managing director or chief executive in that position. And quite quickly shares can start to plum it.
A natural thing for us to have when we are in security is to have that the media generally become the antichrist. We don't like to engage with them because we fear that we are gonna be portrayed in a manner that is unfitting of the company and our and ourselves. So I'm gonna tell you, I'm gonna show you bad. It can be and how good it can be, but trying to develop that strategy to promote your organization, even when everything else is going wrong. When those millions of data sets have gone missing that breach is there. Everybody's got an opinion on it. The outcome is still the same. You have to engage with your clients, your contractors, more importantly, your customers and the media. And there are great examples and I'm not gonna pick on anybody, but there are great examples of how, what good looks like and what bad looks like. And we could say sort of talk, talk MBA more recently, you have a specific window of getting it right? And that time will make or break you within that incident. And again, without going into the specifics around that company, but talk talks widely known as the best example that we say, what bad looks like on Monday. It was one message by Friday, there'd already been five different messages. That's not space that you want to be in.
So now we go on the turn. Sorry. Can I just have a quick show of hands just to show that you're awake? How easy?
Alright,
Well I'll ask it this way. Who likes to say, sorry, there should be a lot more men's hands up in the air should be used to it by now. How easy is it? It's not very easy cuz you know, you're still right
When men
We're never wrong. And even my wife who I apologize to all the time knows really that I think I'm right, but I find it really difficult to say the word, sorry, and mean it. I'm gonna show you and this is acting, but it's not acting. This did not happen. Please do not tweet that TFL have had an incident and no one's told anybody about it. Please, please, please. I did this once before and I had to stop the message. Little bit of a disclaimer, shame everyone. Know what shame is comes just after sorry or just before. Probably not in a dictionary, just in the, in the emotion fortunately or unfortunately for me, my mother said to me at a very early age, you suffer from no shame. You have no shame,
Young men
And I've continued that mantra. So please don't feel bad for me in, in this next bit. I have no shame. I've made my peace with it, but it is a car crash waiting to happen. You just never know when the media are gonna turn up.
Richard, be bridges in BBC. London. Contactless has been down since 7:00 AM this morning, right? That's almost two hours where people haven't been able to use it. Yes,
We're investigating the matter we haven't got the cause of it at the moment. There's many different issues that can come of any failure. We've got tune onto it, a present and hopefully I'll have some proper comment for you in the next hour or so.
It's embarrassing. Walk
Away. Now, walk away, just walk
Away. There's cues of people at Oxford circus in Victoria and many people think it's a safety issue now.
Well there's, there's no indication that there's anything safety critical. I mean the service is still running. Obviously it will have an impact on allowing our customers to be able to use the tool for the revenue purposes, but I'm sure we'll be able to catch up with all those customers that were allowed to
Stop talking, just stop talking, contact
List cards.
They should be able to use. Most, most of the system will be allowed to let them have free access.
And now I really dunno what I'm talking about money then
With anything like this, there's, there's every likelihood that we'll lose an amount of revenue, but it's important
That we keep in my mind, I'm saying I want to die
Two
Hours of no contact list. So what kind of revenue are you talking about? I mean, this is obviously taxpayers revenue, isn't it?
Well it's taxpayers revenue in the sense that they obviously pay to
Now, I'm just making it up.
And any of that revenue that we get is Repens and back into reinvest,
Can't even speak revenue,
An aspect of loss. I don't think it'll be inconsiderable
Trying to look for an exit. Can't find one, but
We're, we're looking to investigate that and try and come back with a full comment on all aspects
Of walk away.
Being told that their banks, some people told by their banks that they have been charged when they've swiped their contact list cards. Even though they supposedly can't use them. So how quickly will they get their money back
At this stage? Just too early to say, I mean, obviously we're in contact with our bank partners. We've been in communication processor, our credit cards. There's no, there's no reason
To, well you just shut up, man. Customers
Will be out pocket for this type of
Instance. You don't know when contacts will be up and running and you don't know when people will get their money back. I'm
Hoping to come back to an hour, lot, need to go
Brief as to what happened within the incident. But currently as, as I last got off the phone, the system's still down.
So we are two minutes. Now we are
Allowing our customers
To just go we're about two minutes and there are best bits coming
Related to this. And we'll come back and, and give you a comment about
Hourly.
Who's responsible for making sure contact list works.
Don't say, don't say it. Most
People that were involved in it, clearly it's FLS responsibility to ensure that this happens. We have got partners that were involved. And again, we we're sitting around the table as we speak to ensure that everyone knows what's going on, but it's TSS responsibility. And one that we, we don't shake away from
Who's head of contactless.
No, no, I have to stop mainly because you'll Google the man and he's still in charge. I threw my boss right under those buses. And then that's a well respected channel four reporter, which is a, a fairly liberal station TV station in, in the UK. She's very good. And she then just started to, you know, destroy my career within the next minute and a half afterwards. But I just thought, I'd give you a flavor of what bad looks like. It doesn't get any better. Doesn't get any better. So, I mean, I've obviously shown myself, I've beared soul. I feel relatively naked up here. Gimme the feedback. One thing from this side that I could have done differently. Go on. Be brave. Go on. Don't worry. Just anything I could have stayed at home could have stayed at home, but just not today. Anything else have a preprepared response? Yes. Yep. What about this side? They're winning too new at the moment. Yes, sir. Have a
Brief response. Ah,
How long is brief? Perfect. Perfect. You know why? Cause that goes on for about four and a half minutes.
It's
A long time. And they were, they would just use 10 seconds of that. And that 10 seconds of that would be my boss's name. Me and her saying, so you don't know what's going on. You don't know where the customers are gonna go. You don't, you don't, you don't me sitting again. Yeah. Yeah. So it's really important that we do prepare some form of brief. However short that brief is, but more importantly, can I please beg all of our security professionals stay behind the other screen? Don't get in front of that screen. We are not the right people. You may look fantastic. You may sound gorgeous, but at some stage you will engage in conversation beyond their capability. And we will start saying too much. Just my opinion. I didn't actually say anything cuz I didn't know what I was talking about. You could always try that tack, but then that might be a bit, bit difficult. What was the one word that was missing from that we're investing the matter didn't say. Sorry. Did I didn't say sorry.
Yeah, yeah. I'm really sorry. Don't mean it I'm really sorry that you are having difficulties trying to get from one part of London to the next, just the normal day in London actually. But so even when you know that it's coming, so I didn't know that person was coming. In fact that was a training exercise. And I'll tell you what, what that training exercise looked like. But I wasn't expecting it. I was expecting to go train him and about 10 o'clock after the Crosson and the coffee and introductions and everyone having a group hug, then we might get into it. I come up in the lift and I walk straight into that. What you see is me looking for exits. It's an unusual place. I didn't know where to go. And then I wasn't gonna be rude and sort of go, thank you. Thank you. Thank you. And try and leave. And what's the one thing that I didn't do, which I thought I would do. Linda. There's no comment, no comments. Not gonna work. No comment. You really dunno. What's going on. You have no comment about what is going on. Can you speak to our press officer?
My name's Richard bell. I work for transport for London and I'm the head of cybersecurity, operations and investigations.
Thank you very much. Are we ready to go? Who is responsible for this fiasco and will they face serious consequences?
That's a good question. But firstly, I'd like to start by apologizing to our customers that have been affected by this. What looks like a data breach. We, we continue to work with everyone involved to ensure that we, we fix this problem. We've processed all of the repayments that we needed to to customers. If there are any customers that haven't been affected, that haven't as yet received that refund, they should reach out to us and we'll maximize that for them. And we continue to investigate to identify the true cause of this.
Good. Now that was probably about 45 seconds or more. So I want you to CU in half and be really focused about what you want to say. Okay? There's too many messages going on. You want one message. So what is the one thing you want to say? You apologize. And then what's the one thing you want to say.
We're continuing to
Investigate. We're investigating it. Yeah. Good. Okay. So you want about 20 seconds? About half that length. You wanna stop the movement? Say still, okay. Who is responsible for this? And will they face the consequences?
Yes they will. Once we identify who's responsible, but it's important to say that I, I want to apologize.
Continue to apologize for any customers that have been just can't say it.
I'm gonna stop you. Okay. I'm just gonna fix your now. I want you to start with the apology. Yes. And then yes. And then I want you to talk about the other stuff. Okay. So who's responsible for this fiasco and will they face the consequences?
Well, firstly, T Phillip, sorry, our customers were affected by this. I not mean now. Not I'm not sorry. Still my organization, something
And a member of your family, you had to apologize. Would you, would you use that intonation?
I don't mind saying I want to punch you in our head by this
First of all. We're sorry. Doesn't sound right. Yeah. First of all, we're sorry. Whereas we're so sorry about what happened. First of all, we'd like to really apologize. And the, the, the key is your intonation is going up. So first of all, we're sorry, instead of we're sorry, that's the difference. That's why it doesn't feel right? Cause it sounds like this. I'm just, this is the first thing I'm gonna say. And what's the next thing on my list. Yeah. Okay. So really mean the apology cuz you are sorry. Yeah. Okay. So first of all, so we're sorry about any customers who've been affected by this. And then the next thing is that you want to raise the fact that we are investigating and I've asked you about a member of staff. And are you gonna say they've been suspended,
Look to the press officer.
Yeah. Good. Yes. So breathing in whom is responsible for this and will they face the consequences?
Well, firstly, I'd just like to apologize to our customers. We continue to investigate the, the incident that happened. We still dunno much. It's true that we've suspended a member of staff pending further investigation and what that outcome looks like. But it's important for our customers to know that we're working extremely, you know, hard to, to get this fixed. My name's Richard. Right? So you've seen that bit. That's just an edit version back together. You see how difficult it is. I'm sorry. Sorry. That's what I use when I go home. I'm sorry. Sorry darling. Sorry. Last couple of minutes. Considerations when trying to apply a different approach. And again, Peter touched upon this around getting involved in collaborating with the, the rest of the organization, involve everybody with an interest in the incident. Not those people that would like to be involved. Those people that need to be involved exercise one way when you're doing the desktop exercises, sometimes we do it around the table.
Don't we literally desktop exercise. Sometimes we do it a bit more real life. Can I suggest filming it? If you film it, you put that pressure on you. Cuz that's the only difference that I had. There was pressure, regular liaison with your media and press officer ensure that you start reviewing what other people are doing well. And what they're doing out in the world, never volunteer to do media that's me. I know my job is not that side of the camera dress up to dress down cuz you never know when you're gonna get door stopped. And please try to practice saying sorry, if not to me then to yourself. Thank you very much.
Stay Connected
How can we help you