What is a Cyber Security Playbook and How Can it Benefit Your Security Program?

You probably don’t need anyone to tell you that, today, infosec and cybersecurity are challenging and fast-paced endeavors. In the last five years alone, we’ve seen a myriad of industry altering developments — from an ever expanding universe of privacy compliance legislation and the permanent entrenchment of hybrid and remote work, to growth in the size and scope of data breaches — the world of security has proven ever complex and ever-shifting.

In a sea of constant change, security practitioners require some form of shelter. While security frameworks and policies can serve this role during normal operation, practitioners are best served by having documentation and processes in place that help them respond to security incidents. This has become increasingly important as the world of remote work has changed the types of risks organizations face, requiring processes to be evaluated and perhaps an entire encyclopedia’s worth of edits to existing documentation.

If you haven’t already established (or revisited) crucial aspects of your security program in light of these changes, now is likely the time to begin putting into place your cyber security playbook. As a note, Nightfall developed a security playbook guide for organizations transitioning to remote work last year. This guide details the technologies and processes you’ll want to invest in post-COVID and has been updated for the current year. It can be read in its entirety online, or downloaded for free, with our post-COVID security checklist here.

What is a security playbook?

The idea of a playbook, which comes from the world of sports like football, refers to a list of strategies or “plays” that are executed by a team in response to conditions in the game. For a football player, studying the playbook means understanding the various types of circumstances one might find themselves in and being able to recognize them on the field in order to execute the correct play at the right time.

The analogy of football here is apt, because security is ultimately a team sport, with everyone on the defensive team (your team) needing to know their roles in order to ensure plays are well executed in order to mitigate the damage threat actors can do to your organization. Businesses use playbooks too, and it often makes sense for specific business functions within an organization to develop their own playbooks to ensure that they have strategies they can rely on in order to standardize processes, as well as properly respond to incidents and business disruptions.

Why do you need a security playbook?

In defining what a playbook is, we’ve already highlighted why a security playbook is an essential document for organizations to have, especially given the rapid changes in the world of information security we mentioned above. For IT teams, infosec teams, and cyber security teams, a security playbook allows for coordination before, during, and after security incidents and business disruptions. Although the creation of this playbook is spearheaded by security and technology teams, it contains organization wide-ramifications, as it has roles to play for everyone. From interns, to the CEO, security requires that everyone has their head in the game and is briefed on their role in keeping the organization secure.

How do you create a security playbook?

A security playbook is typically built upon or informed by existing documentation. These can include:

• Security policies. Like employee acceptable use and device policies
• Security lifecycles. Such as data, application or identity lifecycles
• Response plans. Such as incident response and business continuity plans

We go over a lot of the documentation that should inform your security playbook in our remote-first security playbook.

What goes into a security playbook?

The security playbook should be a distillation of the policies and processes that exist within your security documentation. There’s no specific format that this must take, you can even break different portions of your documentation into separate playbooks — for example creating an incident response playbook that consists of multiple “smaller” playbooks like a ransomware response playbook that are used in parallel with a disaster recovery playbook. 

The most important thing, however, is that your playbook (or playbooks) be digestible and widely available within your organization so that people can access it when they need to. Additionally, setting aside time for key players within any playbook to review it, through training or tabletop exercises, is essential.

How does a playbook differ from a runbook?

Increasingly, the concept of running what is known as a “runbook” alongside playbooks has taken off. However, the addition of this terminology has resulted in some confusion, with many people using the terms interchangeably.

There are subtle differences between the purpose of playbooks and runbooks, with the main difference being that playbooks leverage your existing policies and processes (as implemented within your organization) to detail what must happen to maintain normal operations. This is often in response to disruptions, but your playbooks can also detail the actions necessary to maintain normal operations under ordinary circumstances as well. The goal of a playbook is to ensure that every function within your organization is on the “same page” about its roles and responsibilities.

Runbooks, alternatively, provide a more tactical “how-to” view on how to execute a specific task, carried out by an IT or security practitioner. This could, for example, be on how to conduct a log review or how to ensure data within a designated data store is appropriately encrypted. Runbooks might detail how a specific task within a playbook is carried out, or can exist independently of any playbook to provide IT and security with details on how to do their jobs. 

As security automation tools have become more powerful, runbooks have become increasingly important. Through tools like a SOAR (Security Orchestration Automation and Response) you can run tasks from multiple runbooks in parallel without expending an unreasonable amount of time from dozens of employees.

Ultimately, both playbooks and runbooks are critical parts of your security program. If you want to learn more about the processes that should make up your playbook, have a look at our Security Playbook for Remote-first Organizations.