Maksim Kabakou - Fotolia

Security incident response teams are human, too

What goes into a good incident response plan, and what steps should security professionals take to ensure they are appropriately prepared for the almost inevitable attack, and secure buy-in from organisational leadership?

When it comes to security incident response strategies, it seems that many organisations tend to focus a great deal on the importance of cyber resilience, which is entirely valid, but they often forget to factor in the value of human resilience.

After all, a lot is expected from the people responsible for the containment, analysis, and remediation of an attack, as well as the subsequent recovery effort. At every stage in the process, they must keep cool heads while analysing complex situations, formulating appropriate responses, diplomatically managing stakeholder expectations, and sometimes dealing with pushback on their recommendations. And that’s without mentioning the long hours and limited resources with which they regularly contend. 

But how much attention is paid to the actual experience of doing this work? Are the people involved adequately equipped and supported? Or are they simply relied on to make a superhuman effort, regardless of the impact of physical and mental fatigue on their ability to bounce back?

As a CISO, this is an important role for me: ensuring that our incident response plans include adequate provisions for the humans working on its frontline.

In the early days of an incident, when adrenaline is pumping and motivation to quickly shut down an attack is high, team members will generally go to extraordinary efforts to meet the goals set for them. It’s a period of high-octane intensity.

However, it’s no secret that security incidents, and recovery from them, can drag on for weeks and even months. A lengthy period of consistently high demands on a team's time and attention will drag down even the most competent and optimistic employees. Attention spans diminish. Team spirit dwindles. Performance degrades. It’s hardly a recipe for fostering growth through adversity.

A very real risk here is that when intensity and engagement suffer, so does the tying up of loose ends. The original incident may be tackled, but there may not be enough fuel left in the tank to properly learn the lessons it has delivered and transform the successful response into effective prevention for the future.

More effective support 

It’s impractical to suggest that cyber security teams should only be populated by individuals with exceptional levels of in-built resilience. For a start, that’s just not realistic against a backdrop of global skills shortages. But more importantly, it’s not fair and responsible employment practice. An organisation’s leaders must recognise their duty to support security incident teams in their work. A mid-2022 article in the Harvard Business Review makes this point very well:

“To truly build resilience in your organisation, you must recognise that two things can occur simultaneously: Individuals can build a reservoir of resources, such as optimism, vigour and established social support networks to draw on to help them be resilient, while organisations offer proactive resources and create changes that help to protect employees.”

In other words, individual employee resilience cannot replace organisational improvement and support. And in the case of security incidents, CISOs have a responsibility to create the culture and framework in which improvement and support happen. Here are a few points that I recommend considering:

  1. Adequate preparation. Table-top exercises are an established part of most security incident response programmes, but do they give employees an accurate view of the demands they will face? When staff have the opportunity to rehearse incident response exercises, the chances are that they will be more mentally prepared when a real attack strikes. These exercises are also an excellent opportunity for stressing the importance of taking breaks from this difficult work and considering how these might be achieved.
  2. Scheduling. When it comes to scheduling staff, the plan should go way beyond the short-term, high-intensity response and consider the weeks and months that it might take to resolve an incident. Where possible, consider rotating staff members in and out of the incident response team, to give them some much-needed downtime. Scheduled personal leave and personal/family commitments should be respected where possible.
  3. Support. What support do security incident response teams get from the organisation as a whole? This might include HR-led stress reduction programmes, the provision of paid leave in order to rest and recover from an incident, and formal channels through which employees can voice their concerns and suggestions about the working conditions they experience during these campaigns.

Above all, for me, it’s a question of acknowledging the humanity of the people involved in this work. They’re humans, not robots. And that means that negative emotions in response to negative situations, either during or following an incident, are natural and healthy. So CISOs must be extra resilient themselves, supporting healthy emotional expression among team members under pressure and not expecting them to remain upbeat during the hardest of times.

I also must remind myself that this applies directly to me as well. I can’t be there for the team if I am not taking care of myself.

The Computer Weekly Security Think Tank on Incident Response

Read more on Data breach incident management and recovery