There are many factors to consider when staffing, or augmenting, a security incident response team within your organization. It should be obvious to most security practitioners that skill sets, education, and experience are necessary aspects of the success of the response team, but there are other requirements as well that often get overlooked. While I do not consider this post a comprehensive list, I hope that it serves to get people thinking in the right direction as they work to stand up a response team for their organization. Some of this information is just a regurgitation of NIST 800.61 rev2 with my thoughts added.
One factor that many organizations forget to investigate is employee satisfaction. Information Security is a demanding field and many organizations operate on a 24×7 operation layout, which brings even more stress and frustration into the equation. There are things that can be done to ensure a higher level of satisfaction, some of which are not as apparent. For instance, one chief complaint within security departments of large and small enterprises arises when the organization imposes governance and processes, but allows some departments to excuse themselves from those protective measures. I have experienced this issue myself and I found myself on a team which was excused from the policies the rest of the company was held accountable to.
Typically, the groups within an organization that are not as tightly bound to these processes are not the ones complaining, unless they are serious about their roles and the importance of their role within the organization. I raised concerns within my department’s leadership and worked to remove some of the “allowances” that had been made without good reason. This was not a popular action, but I knew that my job was a joke if I did not follow the same policies that I expected others to follow when they made sense. If policies do not make sense, then they should be reviewed and modified or removed.
Bear in mind that lack of employee satisfaction can also lead to disgruntled employees who seek to do harm to the organization or it’s assets. It can also lead to burn out and a constant revolving door of great talent. An organization can save a lot of money by ensuring employees are happy and feel needed, while also preventing frustrated employees from taking negative actions against the company.
Attitudes , Aptitude, and Motivation
I do not assign a particular order to these attributes, but I do consider them all paramount to building a solid team. It is worth going over each one in detail and how they could play out in your organization. Attitude matters in most things we apply ourselves to. No one wants to work with other people who have lousy attitudes, complain all the time, or constantly seem frustrated with their work or family life. When looking to staff your incident response team, look for people who have positive attitudes towards their chosen profession as well as a focus of working with others. One common point of failure within many organizations is hiring people who refuse to work with others well and share information. While there is a perception that silos protect an organization, the truth is any organization is partially blind unless it knows all the facts.
Aptitude != skill or education. What a person knows tells very little about how easily they will learn something new or pick up on new skills. When hiring team members, look for clues as to how they learn and what they do, on their own, to continue their education and broaden their skill sets. This doesn’t mean that all geeks with home labs are the best hires, but it also means you cannot simply overlook the folks who may not have the skills you are looking for today, but have the ability to quickly pick them up and the desire to learn on their own.
Lastly, we have to consider motivation. It really does not matter how smart your staff is or how many degrees and certifications they have beside their name if they are unwilling or unmotivated to work. This is not more important that the previous two attributes, but it is much more difficult to resolve. Attitudes can be changed, given the right culture and environment. While aptitude most likely will not change, the right training programs could help sustain the organization. Motivation is not as easily impacted. Some organizations use mechanisms such as bonuses or commission to provide some incentive to be productive, but that is not feasible for every organization. Be sure to hire right, or you will regret it. This is certainly more true in the security field than almost anywhere else.
When considering the idea of outsourcing to a contractor or managed service provider (MSP or MSSP), there are some factors to consider. First of all, an organization seeking the help of a contractor for staffing, augmenting, or replacing an incident response team needs to have great legal support. There will be many concerns that have to be addressed up from which may require some hefty legal language in the form of nondisclosure agreements (NDAs) or other forms of legal documents. Think of some of the areas where this could be required such as in the sensitive nature of employee information or activity that may be seen in security data or the knowledge of the security posture of your organization that could be accidentally or purposely shared which could damage the reputation of your organization.
The next factor to consider is the cost. This is a difficult area to measure and every MSSP is going to claim that they can offer services at or below your current costs. Watch for inflated comparisons or miscalculations in their presentations and make sure you are using current metrics for judging the expected cost for coming years. If you are not properly recording metrics and tracking activities now, you are probably not in a place to have those discussions until you do your due diligence to truly understand your costs today. It is not doing your organization a favor to cut costs that do not actually exist and it will not benefit you down the road if you have nothing to compare savings to if you go down the MSSP route and the board or company leadership asks for comparisons.
Lastly for this category, I would suggest that you also consider additional opportunities to decrease cost and increase efficient prior to engaging in an agreement with an MSSP. Out sourcing is a great way for some organizations to gain efficiency, coverage, and cost savings, but it is not the only way. Every organization should review their current technology if they have an existing incident response team. If you are building out a new response team, you should do your research to look for the best of breed software offerings which allow for features such as automation and orchestration which can save hours of time while managing incidents.
Is A SOC Necessary?
Every organization is unique and has unique challenges and focuses. Not every organization is at a state of maturity where it needs a SOC, or security operations center. I like to think of the SOC as the central brain , or hub, of all security related operations within an organization. If you have a SOC, the incident response team should fall under the umbrella of the SOC. The activities should be driven by overall policies set within the SOC and the incident response team should report up to the SOC and be able to provide a picture of its activities and the affect of those activities to the SOC.
It is not always a question of maturity. Some organization choose to structure in a way that begins with a SOC. Many companies might choose to put their focus on incident response. The difference in my opinion is two-fold. If you structure your organization with a SOC, I believe you are making two statements. First, you are saying that you believe responding to incidents is only one part of your organization’s overall security vision and that there are many other aspects, such as risk and governance or vulnerability management that also make up the strategy for protecting your organizations aspects. Secondly, it shows that you have a holistic approach to security within your organization and understand that a SOC provides the central hub for managing all of the related activities.
This is just a small selection of discussion points for incident response team staffing. There are so many factors to consider and many of the most important can be discovered in the NIST 800.61 rev 2 publication. I wanted to take some of those items and provide some of my own commentary and experience to enrich the discussion. I am sure many of my readers have deeper discussion points or other experience to add and I look forward to continuing the discussion in the comments below or on our forums.