With ever-increasing security threats, both internally and externally, the best prevention program doesn't just involve tech leaders and their staffs—it includes involvement from corporate communications to network administrators. While CIOs and CSOs typically lead the security team, security should be a concern, and a responsibility, for each company employee.
Security incident response programs can prevent business disruption and expensive downtime, avoid IT overtime costs, and even prevent possible legal damages. Gartner security analyst Rich Mogull estimates that, through 2005, 20 percent of enterprises will experience an Internet security incident that will be more serious than any virus attack to date. “Of those that do,” said Mogull, “the cleanup costs will exceed the prevention costs by 50 percent.”
Many organizations that want to put a security team in place have a difficult time discerning exactly how to build one. The first step is creating the team roster—who should be involved and their respective role. The next step is determining the right model around which to structure your team.
Choosing team members
A CIO or CSO will usually take the helm of the security team, but it can also include other high-level executives, such as the VP of marketing and communications, who often plays a critical role in customer and public relations when a security issue occurs. Web site administrators and developers working with mission-critical applications are important team members as well.
Teams should also have a legal counsel member who, at a bare minimum, can review company security policies and any updates to the policies as they occur. Also, because internal breaches often result in employee termination, it’s wise to involve HR. A representative from the physical security side—a building security person—should also be informed and consulted about incident response procedures and programs in place.
Mogull envisions a team structure in which a CSO and CIO report directly to the CEO. The security leader would head the response team, with the CIO supervising day-to-day IT functions, explained Mogull. The IT department, which is a de facto unit of any security response program, would also have a “dotted-line” responsibility to the security leader. Another option is for the security leader to report to a risk-management officer, if the role exists.
Because the nature of incident response requires all members to respond immediately, it's advisable to have backup team members in place. These backup members can fill in if an original team member is not on site, or if an original team member's daily duties need to be handled while he or she is involved in solving a security issue.
When constructing the response team, security leaders must enlist members that can use problem-solving skills under pressure, follow through on details, and communicate effectively.
The Handbook for Computer Security Incident Response Teams, available online from the CERT Coordination Center, states that “it is a more desirable approach to hire individuals with less technical experience and good communication skills, and then train them in security response team-specific technical skills, than vice versa.”
Structuring around a team model
Security teams can follow any one of numerous models—from SWAT-like approaches to prevention approaches—that can help to give the team structure and direction.
Noting that community watches have reduced crime rates by as much as 75 percent in some areas, Mogull believes that enterprises can realize enhanced security protection by just educating employees to recognize and report suspicious activity. The best-practice approach includes educating employees on existing corporate security policies, how to report potential problems, and user security dos and don'ts—such as file download guidelines.
TechRepublic member Ed Dugan calls his security response model "P.I.I.E.R."—his own acronym for problem identification, isolation, escalation, and resolution. It works for any type of IT incident—from a malfunctioning printer to an earthquake event. The CTO is currently implementing the program at Montgomery Asset Management, LLC, in San Francisco. Because the process can be used for minor events, the staff becomes familiar with it even without formal drills, he said. “You ingrain in folks that the process works no matter what.”
Under Dugan's response plan, identifying and isolating the problem occur in one step. “When you have an 8.1 earthquake or 7.2, you know it,” he pointed out. The escalation step occurs when a problem can’t be solved quickly and other people have to be notified. That can be as simple as telling someone that their report won’t be generated on time, or as serious as telling the CEO about a threat of business interruption.
IT leaders can also structure their security response programs around current models used by some specific industries, such as the federal government and even fire departments.
For example, leaders may choose to develop a SWAT-style network team, trained to handle specific response tasks. The team may spring into action to shut down a network, install a patch, or mirror the hard drive of an employee suspected of giving confidential information to competitors. In CERT's Handbook for Computer Security Incident Response Teams, these teams are called incident response teams.
The fire department model is based on the idea that firefighters see teaching fire prevention as a critical part of the department's mission. An IT department forming a security response team would focus primarily on educating employees about preventing security problems. "Obviously, not everyone needs to be trained to put out a fire, but they do need to know how to hit the fire alarm, call 911, and safely evacuate the building," said Mogull.