In the dynamic, high-pressure events around cyber incident response, there are five soft skills that can make or break the outcome: Communication, Collaboration, Creativity, Confidence, and Critical Thinking. Here are practical and actionable tips teams can implement to combat some of the not-so-great habits we’ve seen over the course of thousands of live cyber attack simulation exercises that cyber defense teams have performed using our cyber range platform .
Effective communication stands as the cornerstone of any team operation. When a security event occurs, members of the IR team must communicate quickly, clearly, and effectively to understand the nature of the attack, its scope, and the potential countermeasures.
- If you see something, say something: Often an analyst will discover an important piece of information that would greatly benefit the investigation, but they don’t understand the importance of the artifact and therefore do not relay the information to the team. That artifact often ends up being a vital portion of the incident and that would have let the team investigate, mitigate, and remediate that threat substantially faster.
- Overcommunicate, overcommunicate, overcommunicate: Make overcommunication core to the culture so everyone on the team knows what’s happening across the investigation. This has to come from the top down, with the team lead setting the example.
Cybersecurity incidents require expertise from individuals with diverse skill sets to effectively address the multifaceted challenges of cybersecurity incidents.
- Cyber isn’t a solo sport: Many security pros feel they work best within an isolated environment. They stay heads down on their assignment and only surface to relay information once their investigation finishes. That information is always more valuable when shared through more frequent updates. Artifacts found by another team member could have connected dots that change the course of the investigation.
- Double-check everyone’s work: Teams will often have a member or two who are incredibly gifted in cybersecurity. They can identify every aspect of an attack by themselves, before the rest of the team even understands the initial attack vector. While these high performers are very valuable and can contribute a lot, even their work needs to be analyzed to ensure accuracy and confirm a complete understanding of the situation. Even the best analyst can miss artifacts, and with no checks or balances on their investigation by other team members, those missed artifacts are potentially catastrophic.
Hackers are continually coming up with novel ways to infiltrate systems, and cybersecurity professionals must keep pace. It takes creativity to imagine possible threat scenarios and develop preventive measures accordingly.
- Share all creations: Sometimes the most creative work cyber pros do results from a side project for themselves or working on something unrelated to their day job. If somebody on the team develops a script that can identify a form of persistence, or have a complex query within a SIEM to identify specific information, they need to share it with the rest of the team.
- Celebrate creative risks: There’s often a hesitancy to share homegrown tools, especially among more junior team members, for fear of it not being cool or good enough. But these often end up being the creative solution no one knew they needed. The ability to think outside the box, imagine the unimaginable, and anticipate unconventional attack vectors are where some IR team members truly shine.
The ability of team members to trust their own skills and judgment as well as that of their teammates can significantly impact the decision-making process during a security breach.
- Build trust through honesty: If an analyst has difficulty with their task or can’t complete it in a timely manner, they need to let their team or team leader know. This builds trust within the team by reinforcing the notion that if someone struggles, they will let the team know.
- Someone who asks for help will get help. It’s important to build a culture where people are encouraged and rewarded to seek advice and support. Then, teams will feel more confident knowing that if their teammates are not asking for help, they are completing their tasks to the best of their abilities.
In a field where not all problems come with a pre-existing playbook, the ability to analyze situations, question assumptions, and make sound judgments under pressure has become critical.
- Practice problem solving: Training under real-world conditions in a cyber range or running tabletop exercises that simulate incidents lets team members practice their decision-making skills in a controlled environment and gain valuable experience that they can apply to a real-life situation.
- Challenge the status quo: Periodically review and challenge existing incident response processes and playbooks. This ensures that the team doesn't become complacent and always looks for better ways to handle incidents.
Recognizing and cultivating these soft skills and making them part of the organization’s culture can aid in the overall success of incident response teams. By offering ample training opportunities and continuous learning experiences, top management can help cybersecurity professionals elevate their game so they can navigate the complexities of the world of incident response with greater success.
Debbie Gordon, chief executive officer, Cloud Range