Alvin Mills

Alvin Mills
VP of Information, Technology & Security

Incident response is continuous

As companies get better at detecting cyber events and data breaches, most continue to struggle with the proper handling of these incidents. In my travels presenting to our banking community, I always ask the question, “How well is your organization prepared to respond to a security incident?”

After learning about a new cyberattack against an organization, I ask myself the same question, “Is my organization prepared in the event we see the same type of attack? The chances are very high that the attackers will eventually target my organization or your organization. If you outsource your technology and security, how prepared is your managed service provider to address these incidents?

Cyber resilience is a term we hear about, but do we really understand the meaning? Being cyber resilient is the ability of an organization to prepare, respond and recover when cyberattacks happen.

According to RSI Security, an organization is cyber resilient if it can defend itself against these attacks, limit the effect of a security incident and guarantee the continuity of its operation during and after the attacks.

Practice, practice, practice

I’ve seen many incident response plans that dot all the i’s and cross the t’s. On paper, they are very detailed, but it would appear that the organization spent a lot of time and effort to develop the plan only to find out they never tested the plan. This is usually identified during an incident by the chaotic way the organization responds.

Fresh off the Super Bowl, I love this analogy of football and incident response: All the teams have a playbook and they all spend countless hours rehearsing or practicing for the big game. You can almost tell, however, which teams go that one step further by practicing for each and every scenario.

This is how we attack the opponents if they line up in this defense, or this is our play if we’re in this situation. You could tell the Chiefs were well prepared. No one panicked..

Before a cyber incident

Have a plan: The key is to have a set of procedures in place if your organization suffers an attack. While the attack is occurring is not the time for planning. Nor should planning be an afterthought. The plan should be well documented, reviewed, tested, tweaked and perfected. If you have a good plan, then your chances of surviving an attack are far greater.

A great source of information for our community bankers is the Incident Response Playbook. The Financial Services Information Sharing and Analysis Center (FS-ISAC), Texas Bankers Association, American Bankers Association, ABA-State Association Alliance and its members and critical infrastructure partners have developed this all-hazards state and regional crisis incident response playbook. This Playbook is intended for use by those responsible for leading or participating in an organization’s incident or crisis management team, regardless of whether it is a cyber event, natural disaster, technological hazard or man-made event.

We’re currently making some small changes to the Playbook and updating the list of contacts you can reach out to if you have a cyber event. One of the first calls should be to your cyber insurance provider. Why? Because they handle these events almost on a daily basis and know exactly what to do. Many of them provide additional services that will gather the forensics team, recovery team, communications team, etc. They help take the chaos out of a very chaotic event.

For more information and access to the Playbook, please visit