Managing Security Consultant, Enterprise Incident Management
Jeff Wichman is a managing security consultant in Optiv’s enterprise incident management practice. Jeff’s role is to provide leadership to the enterprise incident management security consultants, technical expertise in digital forensics and incident response programs and processes, and mentoring the Optiv enterprise incident management team.
Lessons on Proactive Incident Management From… the Packers?
Leaving it to chance, isn't a best practice
Information security and professional football don’t appear to have much in common. Fantasy football and information security probably have more in common but still, it’s not a lot.
We are weeks into the NFL season and so far, my fantasy team is very average. I am not complaining because I took some risks this year. The biggest being I opted to deal with the auto-assigned picks of players to make up my team, missing the live draft. One of the greatest challenges this season is determining which players I need to replace and who to start each week. Right off the bat, I was set back, as three picks turned out to be suspended or injured. The other challenge is adjusting for week 8, when half of my team is on their bye week.
Long story short, my fantasy team is kind of a mess.
I started working on this blog while watching my beloved Green Bay Packers take a hard loss to Washington in week three. During the game, I started to think how everything regarding my fantasy team was left to chance. Soon enough, I began making comparisons between football and incident management, including the work that should go into preparation for an incident.
Incident Management Strategy – In many organizations, this is the most overlooked step. We tend to see less mature organizations completely skip this or simply neglect to document the long-term strategy for incident management. It is unfortunate that organizations skip this step, as it provides an opportunity to track and highlight progress over the years. This also allows the incident management structure to get in front of other business units. Some of the items to consider in the strategy are:
- How do other business units within an organization interface with the incident management team?
- What is the maturity level for the tools deployed?
- What types of KPIs are being tracked and how often is the data compiled?
- What are the incident management program drivers and business requirements?
You will not find any professional football team without a strategy. They typically have this planned out for three- to five-years and are continuously adjusting their strategy to meet the target for next season’s needed improvements.
Incident Management Plan – This is where most organizations begin Incident Response (IR) efforts, hopefully well before an incident. The typical first-level effort is to search online for an IR plan template and quickly modify it to suit their specific needs. In the beginning, this sounds like a quick and easy win. However, this often means hours and resources spent meeting with other departments, documenting, and potentially navigating internal political obstacles to customize the plan. A plan is going to be your key in responding to an incident. A hastily developed plan can have disastrous consequences. Some considerations for your plan:
- Who are your subject matter experts in the organization?
- Who is part of the call tree and how do you contact them?
- What is the point to engage with a third-party organization and who is authorized to make that decision?
- Where will it be stored, how often is it updated and who is the ultimate owner?
Incident Management Tabletop Exercise – This is exactly what it sounds like. The participants for a tabletop include your technical resources and often includes executive leadership, legal, human resources and other business partners. You want the right mix of individuals to respond to the scenario that your team is being tested on. For example, if the scenario developed includes an insider threat, you will definitely want human resources to be involved. It is recommended teams conduct a tabletop at least twice per year to continue improving their response efforts. It is also just as important to have at least one of those tabletops facilitated by an external party with experience in IR. This can help uncover unconscious blind spots.
In football terms, I believe preseason games most closely align with tabletops. The team is there to test their players, the playbooks they have developed, and fine tune their plan for the season. In football, we know when the season is going to kick-off, where within incident management we never know when the incident is going to happen. But we know it will happen at some point.
My middling fantasy football team will adjust. I’ll take stock each week of the options I have with my players, craft a game plan based on my opponent, and execute my strategy using the tools at my disposal. But just like in security, preparation can only get one so far.
Chance is always a factor. But ask any winning organization what their secret to success is and they won’t tell you “we just got lucky.” Preparation, planning, execution, and knowing what your team can do matters as much in football as it does in security as it does in life.