Incident response teams need technical skills from security experts who can analyze and contain cyber threats. They also demand strategic and communications skills from employees who aren't as tech-savvy but equally essential to getting the business back up and running.
"When you think about incident response and the parties involved … those who truly speak cybersecurity, really and truly speak cybersecurity, are in the minority," said Matt Barrett, CyberESI's chief operating officer, during a panel discussion at the Incident Response and Recovery: Reducing Uncertainty and Looking Beyond IT event hosted today by the National Cybersecurity Alliance (NCSA) and NASDAQ in New York City.
In the aftermath of a security incident, many departments that need to rebuild are unrelated to IT and consequently overlooked. Technical concerns about containing threats and preventing data leakage often trump the role of communications experts, legal teams, law enforcement, and HR – all of which should be involved with developing and practicing an incident response plan.
Communications, which can be a difficult hurdle not only between the business and its partners and customers, can also be difficult among the many experts sitting around the response table.
"Having a soft-skilled person at the table is critical," said Lisa Plaggemier, chief evangelist at InfoSec and member of the NCSA's board of directors. She calls these employees "a secret weapon" which many CISOs don't realize they have. Consider security training and awareness managers: they can translate technical concepts between security analysts and executives, letting engineers focus on their jobs instead of conveying executive updates to the board.
[See CrowdStrike's director of proactive services Justin Weissert demonstrate what incident response is really like during the Live Incident Response Simulation at Interop next month]
As for external communications, it's important to equip all of your employees – not just the PR and communications experts – with guidance for what they should say. "I think it's important not to overlook the role employees play in crisis communications," said Plaggemier, who said all employees across the organization should be informed on how to respond to inquiries.
"It's not just what you're going to say, but who you're going to say it to, and in what order of priority," she continued. For example, sales teams may be given different guidance than IT employees. Your workers will talk about the incident, and you want to prevent rumors. "I'm an advocate for arming employees with information as quickly as you can."
Practice Makes Progress
Panelists urged the audience to practice response plans, and practice often. "The number one thing is to have a playbook and rehearse the playbook," said Tim Vidas, senior distinguished engineer in Dell SecureWorks' Office of the CTO. In a real incident, "people may not be aware of what the plans and procedures are … emotions run high."
Beuchelt explained how at LogMeIn, the team simulates different incidents to test different response tactics. "It's important to build muscle around technical response capabilities," he noted. It's also important to mirror those technical response capabilities with a communications response plan that packs social media and public relations strategies, he said.
The company chose to include general counsel and senior HR leadership in rehearsal. "It was really an eye opener for them … the impact will be fundamental," he said. These days, LogMeIn is testing out a new "escape the room" practice game with executive leadership. Participants have to solve puzzles: who broke the rules and who was the insider who spilled the beans.
You'll want to choose scenarios carefully when practicing response plans, added Plaggemier. You don't want to cause panic, but you do want to put employees in a situation that could realistically happen. In situations that are too easy to run a tabletop, participants often walk away with a false sense of security. Further, she said, every response exercise should conclude with an honest post-mortem: be truthful about what went well and what should improve.
"No matter how many times you practice it, you're always going to learn something new," she said.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.