Let’s be honest, for most of us it’s not a question of if we’ll face a cybersecurity attack, but when. Today’s data security regulations ensure that individuals at every level of an organization have a role in promoting cybersecurity, but when it comes to the hands-on detection, investigation, and response to a threat, it’s time to bring in the experts – your Incident Response Team.
Who Makes the Team?
In addition to the CISO or other company leader, who exercises executive authority over the development, implementation, and assessment of the ISP, every organization needs an Incident Response Team (IRT). This group is often referred to as a Blue Team, indicating that they act to protect an information system from threats. (In simulation exercises, the opposing team – the “attackers” – is known as the Red Team.)
The National Institute of Standards and Technology recommends that IRTs include the following roles:
While knowledge of your organization’s information systems and business processes is certainly important, the key strengths of your IRT Leader need to be strong communication and organizational skills and the ability to make appropriate decisions in a stressful situation. During an event, the Team Leader ensures that people with the appropriate skill sets and resources participate in investigation and response activities. They also document all actions taken and evaluate their effectiveness and assess whether the IRT follows established procedures.
Additionally, the Team Leader coordinates with other groups within the organization to manage the crisis response. Keeping senior management informed about the event and the IRT’s progress is obviously the major part of this task, but the leader may also need to liaise with legal counsel, security personnel or law enforcement, operations management, public relations, and even human resources if employee misconduct is suspected in the event. If any part of the investigation or response is outsourced, the Team Leader also oversees and evaluates the work of those vendors.
Between events, the IRT Leader reviews and updates the team’s Incident Response Plan and procedures to reflect changing business needs and the current threat landscape. They also provide training for IRT members and conduct simulations to assess and enhance the team’s readiness.
Depending on the scope of an incident (and the size and resources of the organization) there may also be an Incident Lead. While the Team Manager is more “outward-facing,” the Incident Lead’s focus is on the team and the event. They handle the hands-on aspects of assigning team members to specific tasks, determining the response strategy, and documenting actions taken.
This difference in focus makes technical skills and knowledge more important for this role, but Incident Leads also need to be effective managers. Consequently, they need the same interpersonal and decision-making skills as the Team Leader. In fact, they may serve as the Leader’s backup.
If there isn’t an Incident Lead, the Technical Lead(s) take responsibility for supervising and documenting the team’s technical work. They need a thorough knowledge of both cybersecurity best practices and your organization’s information systems. While they need to be technically proficient, they also need to be effective leaders under trying circumstances.
Of course, the foundation of your IRT is the Team Members. They perform the various tasks required to determine the source and scope of the cybersecurity event and then take the appropriate recovery and mitigation measures. These individuals need an in-depth knowledge of one or more specific areas of technology, for example, system administration, network administration, programming, intrusion detection, malware analysis, forensics, etc.
Between events, Team Members – along with the Technical Leads – monitor the information systems for potential intrusions. They also play a key role in tracking emerging cybersecurity threats and sharing that information throughout the organization.
Obviously, the size of your organization and the number and severity of the threats you identified during your Risk Assessment will determine how many people you need for each of these roles.
Time, Training, and Tools
While the selection of team members obviously focuses on their technical expertise, keep in mind that your IRT must be available 24/7 to respond to incidents. At a minimum, this means being available by phone or text; but it often requires onsite presence.
Additionally, incidents are typically high-stress situations, with serious implications for the ongoing viability of the organization. Organizations that repeatedly use the same small team of individuals to handle incident response may find that team members suffer from burnout. This risk, along with the fact that individuals may sometimes be unavailable for real-time response, means it’s essential to build redundancies into your team, so this may involve cross-training, even within an existing IT staff.
Maintaining an effective Incident Response Team also means providing the tools and training members need to work effectively. This is an ongoing effort because the threat landscape constantly changes to take advantage of new technologies and in response to existing mitigation measures.
What If I Don’t Have the Right People?
Certainly many insurance businesses – especially small and medium-sized ones – will not be able to afford to keep qualified technical personnel on staff. That’s why NIST also outlines three options for staffing your Incident Response Team:
- Fully in-house – In this scenario, the organization performs all of its incident response work, with limited technical and administrative support from contractors.
- Partially outsourced – Here, employees and outside vendors collaborate to detect and respond to incidents. There are many ways to divide specific responsibilities. For example, an organization may use an offsite Managed Security Services Provider (MSSP) which provides 24/7 monitoring of intrusion detection sensors, firewalls, and other security devices. Any suspicious activity is reported to the in-house IRT for further investigation and response. On the other hand, an in-house team may monitor the system for suspicious and complete initial notification and containment activities. After that, they utilize outside experts to handle the more complex aspects of incident response, notifications, and recovery.
- Fully outsourced – Finally, an organization may rely entirely on qualified vendors to detect and respond to suspicious activity and/or system breaches. An employee supervises the outsourcer’s work, however, so that individual needs appropriate decision-making authority to act in real-time and sufficient expertise to be able to communicate effectively with technical personnel.
These options put a qualified Incident Response Team within reach of most, if not all, insurance businesses. The most important step is making the commitment as an organization to devote the resources necessary to recruit, train, and maintain the IRT.
Information technology, including cybersecurity, isn’t a money-maker for most insurance businesses, however, and that can lead to reluctance to invest resources into preparing for an event you hope will never happen. But keeping your information secure isn’t a luxury; it’s essential.