Breach, Incident Response

Cybersecurity Response: N-able’s CISO Dave MacKinnon’s Got a Plan

David MacKinnon, N-able CISO, at Right of Boom 2023

Is your managed security service provider (MSSP) organization ready for cybersecurity incident response and disaster recovery? Do you have a plan?

N-able Chief Information Security Officer David MacKinnon (also known as D-Mac) compares disaster recovery plans and tabletop exercises (the drills you do to practice your disaster recovery plan) to the fire drills that schools do. You make a plan and then you practice the execution of that plan.

The goal is not perfection in execution. The goal of the fire drill or table top exercise is to find gaps in the plan. Where do things go wrong? How can you fix those gaps so that you are ready for a real incident?

Rebellions are Built on Hope and BC/DR Plans

David MacKinnon, CISO, N-able

That was the topic MacKinnon presented at the recent Right of Boom MSSP cybersecurity conference in Grapevine, Texas. Cybersecurity is something that is top of mind at N-able, MacKinnon told me in an interview before his presentation. In February he briefed the N-able's board of directors on the cyberthreats facing managed service provider tool companies — a briefing triggered by a January’s CISA cybersecurity advisory that mentioned N-able rival ConnectWise by name.

The advisory was about cybercriminal actors that sent phishing emails that led to the download of legitimate RMM software which the actors then used in a refund scam to steal money from victim bank accounts. Cybercriminals are targeting MSP tool makers, MSPs and MSP customers. It pays to be ready because, as MacKinnon says: it’s about what you are going to do when something happens, not if.

“From a business perspective, security is never done,” MacKinnon told MSSP Alert. “We review top risks to the organization every quarter, and as we knock things off the risk register, we’ll be adding more things, too.”

MacKinnon told MSSPs attending the Right of Boom event: “Everybody has a security plan until they have an incident. Your mind races. You forget things. You don’t necessarily know what you are trying to do.”

Why You Need a Cybersecurity Crisis Response Plan

That’s why organizations need to create a crisis response plan. This isn’t recovery. It’s about how to respond to the crisis.

The following are some of the components you should have in your crisis response plan:

  • Provide definitions for the severity of the crisis. These should be measured in terms of the severity of impact to the business and the customers.
  • Define the incident lifecycle.
  • Identify roles and responsibilities, including appointing a leader of the response team. (“Unless you have a very defined chief, you’ll have lots of chiefs, and that’s a giant pain…” MacKinnon said).
  • Assign incident priorities.
  • Define when outside help is needed, and when you should call an attorney or your cyber insurance carrier.
  • Define where and how evidence is stored.

Cybersecurity Crisis Response Plan: Best Practices

Here are some other best practices for your crisis response plan:

  • Print out a hard copy. The plan won’t do you any good if it’s saved inside a computer that can’t be accessed.
  • Also prepare a single sheet summary of the plan. N-able’s full plan is 30-40 pages long. If you are in a panic, you’re not going to read the whole thing, and that’s when you’ll make a mistake. Summarize the important things that need to be done with bullet points on a single laminated sheet of paper.
  • Include the name and contact information of your crisis coach. This person is outside the organization, has been through several crises before, and can serve as the voice of reason when you are having an emotional response. They can be paid or a volunteer.

During a crisis response, members of the response team need to talk about the established facts, not their opinions of the facts, according to MacKinnon.

“You don’t want to draw conclusions without the information to support them,” he said.

Also, MacKinnon avoids using terms such as “incident” or “breach” initially, because those words have legal definitions. If those words are used, it may trigger how the event must be handled.

Having a plan in your head is no substitute for one on paper.

“When you are going a million miles an hour, you forget stuff,” MacKinnon said. Another important point: “People also have to sleep. I’ve worked a 36-hour day, and I’m not useful because I’m tired. There’s a people aspect. People need to eat and sleep. You can’t kill your people trying to recover your business.”

Tabletops: Practice Your Plan

Once you have the plan, you need to practice it. MacKinnon says if your tabletop goes perfectly, you’ve failed. The goal of a tabletop is to find the gaps.

Some people may get defensive during a tabletop, but the purpose of the exercise is not to call anyone out. The purpose is to:

  • Test the procedures
  • Find the gaps

At N-able, MacKinnon pulls everyone together twice a year for this fire drill.

“I don’t want the first time they go through this to be real,” MacKinnon told me in an interview.

What's Next

MacKinnon told me that he knows of some MSPs that run tabletop drills for their clients. N-able is planning to go through a tabletop drill with some of their MSP customers in Austin in April. It's a drill that they will be able to take back to customers.

Looking for more coverage of Right of Boom? Check out the Live Blog from the event here.

Jessica C. Davis

Jessica C. Davis is editorial director of CyberRisk Alliance’s channel brands, MSSP Alert, MSSP Alert Live, and ChannelE2E. She has spent a career as a journalist and editor covering the intersection of business and technology including chips, software, the cloud, AI, and cybersecurity. She previously served as editor in chief of Channel Insider and later of MSP Mentor where she was one of the original editors running the MSP 501.