Paul’s definition of a crisis response team (if we have to keep calling it that (to justify the budget)) is:
An operational capability that allows an organization to quickly initiate, track and coordinate the capabilities of multiple groups and individuals, with the single focused goal of solving an immediate business impacting event, quickly and effectively.
Business Impacting Event? Sometimes, we fail to leverage the abilities of an incident Response capability due to the fact that we view them as only useful during an IT security incident. They can be, and should be leveraged beyond that myopic vision of the role.
[Sidebar: This “pigeon holing” of security is a common problem that I have encountered in my career as a security professional. Security team can easily become isolated and out of touch of, due to the fact that the teams act as superior or independent of the rest of the organization. Misunderstanding, mistrust, “snobbishness” and general lack of communication are typical symptoms that I have encountered when called upon to fix, from everyone else’s perspective, a dysfunctional security team. Security is not a standalone capability, especially in today’s world, and needs to be integrated into the rest of the organizations.]
To create this change, we have to start at the individual level. To help create the capability, and to break down the barriers of stagnant traditional security models, I believe that a security professional needs to have a broader view of the world, encompassing not the only viruses, vulnerabilities, and hackers but also business impacting events or perspectives.
By adopting this approach, crisis response teams can provide valuable services across an organization. Crisis response teams should not be only be involved in an IT incident but they can help in situations dealing with the handling of a sensitive business events or geo-political situations. A good incident response team has the maturity and capabilities to handling these delicate situations with the aplomb required to bring about an effective resolution.
So what does the crisis response team do? To be successful in responding to these situations, requires the coordination and cooperation of multiple teams and individuals. And that is what drives how I define an incident and thats what a crisis team should be focused on as one of its primary objectives. it is driving forward to resolution with a fast ,multi-team coordinated response.
It is the last part of the sentence that really resonates with me. I almost want to change the name from crisis response to coordinated group adverse business event response team (but GABERT is a bit too long as an acronym).
I have had great success in supporting small and large organizations in many crisis situations where the capabilities and preparedness of the crisis response team have been leveraged.
So change the perceptions. It helps if people don’t view the IR team as a set of strange talking geeks, who only like IT and hacking. I can tell you that the majority of the IT security industry is very gregarious, and we don’t hide out in hidden cubicle with no light, despite how Hollywood might like to portray. Some of us even have sun tans.
So what do you think? Is this too ambitious, or outside the scope of IT security? Or could this approach add value to your organization and help expand the understanding and integration of the security team?
In the next article, we will talk about the principles goals and requirements around the culture of a crisis response team.