Security chats with James Turgal, former executive assistant director for the FBI Information and Technology Branch (CIO) and current Optiv VP of Cyber Risk, Strategy and Transformation, about risk management, business continuity and the importance of succession planning in 2022.
Security: What is your background? What is your current role, including responsibilities?
Turgal: I joined Optiv as a vice president in January 2021, specializing in cyber risk, threats, strategy, incident response and board relations. I provide subject matter expertise and advice/recommendations/education to C-suite executives, audit committees and boards of directors on cyber threat actors, cyber intelligence, resilience, and response to the crisis management challenges facing companies. This includes significant C-suite and board-level executive experience in advising/translating complex cyber/information technology concepts and building strategies to address cyberattack influenced business risk, cyber crisis management resilience, and response and other strategy efforts for the public and private sector.
Prior to joining Optiv, I spent more than three years in the cyber risk practice at Deloitte. Before Deloitte, I served a distinguished 22-year career with the Federal Bureau of Investigation (FBI). During my FBI career, I served as a special agent investigator, attorney and pilot in numerous FBI field offices. While assigned to the FBI director’s personal staff, I was involved with the daily operations of the FBI and the protective operations of the executive protection details for the attorney general of the United States and the FBI director. My cyber experience began in 2003, working cyber investigations, which included designing a cybercrime task force and computer forensic laboratory in the Cincinnati field office. I also served in executive roles as the special agent in charge of the Phoenix, Arizona, office during crises, such as the shooting of Gabby Giffords. I also held additional senior executive/senior staff roles as the assistant director – chief human capital officer, and culminated my career as the executive assistant director of global information technology and the FBI’s chief information officer.
Security: Looking ahead, what are some of the biggest trends that will impact risk management in 2022?
Turgal: The areas where I anticipate the most impact to risk management will be a blurring of the traditional lines between external threats and internal/insider risk. The biggest threat to risk management executives will be trying to define the who, what and where the risks emanate from. I see an increase in the convergence of cyber and physical threats and the risks to corporations spreading out over a larger footprint than traditional risk managers have had to view in the pre-COVID risk landscape.
Risk executives will see external and internal threats and threat actors colliding into a hybrid threat model. External threat actors who will pay insider finders fees or malware launch fees to onboard employees of potential cyber victims. Also at play is an expansion of ransomware, not just from encrypting, deleting or leaking data, but as corporations’ IT and physical security become more aligned and hosted on the same infrastructure. As a result, threat actors will be able to not just impact and lock out data but lock out employees and impact access in ways not seen before.
Security: How should organizations prepare and update their business continuity strategies to ensure comprehensive planning for the organization as a whole to mitigate risk?
Turgal: Historically, if a corporation or large complex organization had a business continuity plan, those plans were centered around individual business lines or product lines and what steps an organization should take to restart that portion of the business. The days of dusting off old business continuity plans when a crisis happens are gone. Our world is comprehensively more complex than when those business continuity plans were drafted, and I would virtually bet money that those business continuity plans reflect an emphasis on supply chain or weather-related issues, not cyber-related threats.
Companies MUST update and realign their business continuity plans to reflect the complexity of threats that exist and the connectedness of risks to the company, as today’s complex world layers on threats that are supply-chain related, pandemic influenced, cyber induced and employee prompted. The way to honestly mitigate risk is to PRACTICE implementation of those plans before the next crisis. You have to understand what you don’t know in how the continuity PLAN is actually put into actual practice and not during a crisis.
Security: A key aspect of business continuity that is not often considered is succession planning. Why is succession planning a must for every organization to ensure continuity of operations as well as overall resilience?
Turgal: As the former FBI chief human capital officer, I am always shocked when I look out at private sector organizations and see a decent amount of work and thought being put into business continuity and crisis response plans. While a lot of focus is put on the nuts and bolts of the business system, applications, machine or some other critical part to how a business is supported and what happens if the SYSTEM fails, almost no thought and planning is placed into the question of WHO will actually operate the business continuity plan.
One of the biggest mistakes I see companies make during a cyber crisis response is the lack of understanding of the personnel needs during a crisis and the personal needs of those personnel during a crisis. Most importantly, the physical, mental and emotional impact that affect the people who are relied upon to carry out the response plans and actually do the work to mitigate the crisis.
If a company has a cyber response plan, the plan is often not based on the PROCESS used during a recovery. Succession planning or the concept of personnel continuity of operations is critical to success. It is so overlooked by companies that most of them fail during a crisis response not because of a bad plan, but because they didn’t have enough people or the right people to carry out the plan.
Security: How can organizations build a succession plan?
Turgal: Rarely do you see the private sector looking to a government or civil service organization for guidance on corporate governance issues. However, the private sector can learn a number of lessons from government organizations, specifically the FBI and other national security level organizations, when it comes to succession planning. An actionable succession plan needs to contain sections, such as outlining critical positions for business continuity and listing critical skills necessary for each position that will be supported during the crisis response. For each critical position, there needs to be a dedicated workforce action plan, with knowledge transfer files that should accompany each position, so there is a reference resource to create a baseline of knowledge.
Additional guidance for building a succession plan include these basic sections: (1) Outlining the plan of who succeeds in what position in the event of a temporary, planned or unplanned absence, both short-term and long-term; (2) If the available staff is new to the position or inexperienced, then the plan should outline splitting executive duties among designated appointees; (3) Cross-training programs to develop broad-based skills; (4) A fully outlined and vetted authority and decision matrix of what level position makes day-to-day decisions and at what level within the organization; and (5) A communications plan that includes examples of communications for employees, C-suite executives and board-level personnel.