By: Shimon Brathwaite
March 4, 2022
What Makes A Cross-Functional Incident Response Team Effective?
By: Shimon Brathwaite
March 4, 2022
A cross-functional team/multidisciplinary team consists of people with different functional expertise who work together for a common objective. This is a very important aspect of having a balanced incident response team. As a hiring manager, you must budget wisely and hire people with the proper skill sets. Otherwise, your ability to perform investigations and resolve security incidents will become more difficult. To do this effectively, you will need a team of people with a wide range of knowledge. You will not need a dedicated person for each of your competencies. Also, the person you use to fulfill this role may not be a full-time member of your team either. What is important is that you have someone within the organization that you can call on to fill in this role when need be. That person needs to be informed of this responsibility and agrees to fill this role as needed to avoid deficiencies in your incident response team. This article will explain what skill sets you will need to build a good and effective cross-functional incident response team.
The first thing you need is forensic expertise. Computer forensics is a branch of forensics focused on finding digital evidence, and it is critical for investigations during a cybersecurity incident. Computer forensics will allow your team to determine what actions were performed on a machine. This can be when malware was downloaded, which machines the malware spread to, what files were accessed and deleted, or what user performed the actions. All of the basic questions in an investigation, such as who, what, when, and where can be answered with forensic evidence. Forensic investigators are probably one of the most important members of an incident response team; the whole investigation depends on their ability to assess the situation. When hiring for this position, which is non-entry level, look for applicants with a good amount of forensic experience and industry certifications. This is not an entry-level position. If you ever need to present their findings in court, both their experiences and industry certifications will be good for proving that their work is credible and performed competently.
Next, you want someone with incident management experience. These are people that have worked for a few years handling tickets and resolving incidents, perhaps in SOC analyst or Incident Handler positions. These people will be the ones that take ownership of an incident when reported and coordinate everything that needs to happen from start to finish. As a hiring manager, you should not plan on overseeing every security incident. You want to have competent people that can manage incidents; thus, freeing up time to focus on managing the team and serious security incidents. This person will be the one who needs to get all of the people on this list together and organize them to get an incident resolved effectively.
Data Privacy Specialist
Next on the list is that you need someone that knows about user data privacy laws. Many of the security incidents you may encounter in business involve data leaks. This can be data leaks within a company or data viewed by authorized employees that have access. Depending on the situation, you may have an obligation to notify customers and/or a data privacy office that oversees that type of personally identifiable information (PII). Unless you as the manager are well versed in this, you should have someone who has that knowledge and can advise you on when you need to make a report to customers.
Legal counsel is unnecessary for most security incidents but is necessary for serious security incidents. One example for legal counsel is identifying when a situation is covered by cyber insurance, hence starting the claims process. Another example is when you are dealing with a third-party vendor or platform. For example, let us say you suffered a data breach due to a relationship with a third-party vendor. In this situation, you would engage the legal team of your company that understands the contractual obligations that the vendor has with you. The legal team can contact the vendor, pressuring them to fulfill their contract by aiding in the remediation of your investigation to the best of their ability. Lastly, whenever sensitive data is involved in a security investigation, legal counsel can help you maintain the clients’ confidentiality and privacy rights and avoid exposing the company to a potential lawsuit.
HR involvement is essential for internal incidents. Internal incidents involve malicious insiders, employees that do baneful things on your network and cause a security risk for the business. The most common example is a disgruntled employee, someone recently been fired, denied a promotion, etc. When dealing with these types of incidents, you need someone who understands what you can and cannot do when placing disciplinary action on that employee. You will also need HR when you need to have that person removed from the company or the physical building. Anytime you are dealing with an internal employee that is a malicious insider, you must involve the HR person as the liaison between yourself and the employee; you do not want to deal with that employee yourself.
IT Staff (Patch Management)
This IT staff member has the authority and capability to push out patches to company systems. A large number of security incidents result from unpatched software. As part of the recovery process, you will need to have patches pushed out as part of the resolution process. This person needs to understand the importance of quickly getting these patches approved and applied.
Having a cross-functional team is essential for a good incident response team. As mentioned above, we highlighted the six main areas that every team must have to be effective. It is important to remember that you do not need to hire a full-time person for each of these areas. A person can fill multiple roles; they can be someone from another team or even a third-party contractor/resource. It is essential to access knowledge and skillsets for an effective incident response team.