Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

IR teams are under tremendous pressure, often working long hours and putting their needs aside amid a security crisis. Their care is just as important as policy and procedure.

Joan Goodchild, Contributing Writer, Contributing Writer

November 8, 2019

5 Min Read

In crafting your organization's incident response (IR) plan, you thoroughly accounted for appropriate timelines, public relations, and a recovery strategy. But have you considered the food? Because the food is also important.

"We don't think about the care and feeding of the incident-handling team," says Cindi Carter, CSO at healthcare analytics provider MedeAnalytics. "Bring them some food. You need to make sure people are appreciated. Whether big or small, they are part of the effort, and these kinds of gestures go a long way."

Indeed, once a breach is discovered or a security incident has disrupted operations, the IR team has their work cut out for them – often working nearly around the clock to both identify the cause of the threat and to get things running again. According to a poll earlier this year from NTT Security, the majority (59%) of organizations admitted they were not confident their companies could resume"business as usual" after the first 24 hours. Asked about their No. 1 focus in the first 24 hours after a security incident, nearly two-thirds (64%) of respondents said mitigating the threat was the main priority, while 36% said it was about identifying the cause. 

In this high-stress environment where just about everyone is nervous and the need for information is relentless, keep in mind these several critical considerations when helping your IR team stay productive and avoid burnout.

Sequester Your Team to Minimize Disruptions
Andrew Morrison, cyberstrategy, defense, and response leader and principal in Deloitte's Risk & Financial Advisory, says one of the most challenging aspects to working IR is that the need for information outpaces the actual supply of what's coming in. Morrison's team is the one heading into a client engagement to work IR – what he calls "every client's worst nightmare." The focus is almost always squarely on how to get out of the situation as soon as possible.

"Every executive wants to know what happened and in a time frame when it is difficult to determine," Morrison says. "It is really a tug of war, and the investigator is at the heart of that. Innocently, the executives are asking for updates and status, and it distracts from the work."

To deal with these requests, Morrison recommends the team assign a point person and then agree on a daily time for updates so that requests don't come in all day.

Todd Borandi, a security industry veteran and previously CISO with the National Renewable Energy Laboratory, suggests the security manager give the team its own space so it can be separated from distractions.

"The last thing a high-functioning team needs is the shadow of their boss, or their boss' boss, looming over them," Borandi says. "Let them do what they have been trained to do and stay out of their way while they are trying to do it."

Foster a Culture of Care and Courtesy
When it is obvious the stakes are high, IR team members will almost always remain committed to the work and not want to walk away. But Carter says it is important to remember the team comprises people who have lives that have also been disrupted by this demanding work.

"Encourage them to be able to say, 'Hey, can someone pick up my kids from school?'" she says. "You have to think through those scenarios. These are people who have lives that don't always have alternatives. You may have single parents, for example. You need to think about the outside needs of your team."

Morrison says his teams tries to follow a work-by-the-sun model, bringing in off-shore teams who can pick up for a few hours while the on-the-ground team gets some rest.

"You need to guard against burn out," Morrison advises. "Trying to work 24 hours isn't productive either."

However, even when security leaders want to give IR a break, their level of commitment may make them hesitate to take it.

"Some people have FOMO [fear of missing out] and want to be part of solution," Carter says. "But they need to understand that through their work, they already are part of the solution, even if it didn't happen on shift."

Reward Them When the Dust Settles
Once the fire-drill-like environment is gone and the threat has been discovered and contained, you'll want to ensure IR team members understand their work is appreciated, even after it's over.

"When time is slow and the job is done, ensure you have the flexibility to offer these folks compensation for the marathons they will have to endure," Borandi says.

Constantly striving to consider both the professional and personal needs of those who are called on under the most difficult situations will be key to smoothing the way the next time the IR team may be needed, Carter adds.

"We're human beings," she says. "We have to make sure in times of crisis that we take care of each other."

Related Content:

 

(Image: Tijana via Adobe Stock)

 

About the Author(s)

Joan Goodchild, Contributing Writer

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights