Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

A 'First Responder' Approach to Cybersecurity

Credentialing Program First Step Toward Creating Network of Cyberattack Responders
A 'First Responder' Approach to Cybersecurity

Lessons learned by first responders' efforts to deal with natural disasters can be applied to cyberattack responses, according to organizations that have teamed up to launch a cybersecurity first responder credentialing program. The organizers see the project as the first step toward creating a network of professionals that can help the U.S. government and enterprises respond to high-impact cyberattacks.

See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

Credentialed cybersecurity first responders will use the Federal Emergency Management Agency's Incident Command System framework to communicate and coordinate responses to large-scale cyber incidents, organizers say. The FEMA framework is widely used globally by first responders for responses to hurricanes, floods, earthquakes and industrial accidents.

FEMA's framework, which will now be applied to cybersecurity, aims to help companies, organizations and municipalities identify, assess and address incidents; communicate with the right agencies and stakeholders; and resume day-to-day operations.

Those involved in launching the credentialing effort are the International Society of Automation's Global Cybersecurity Alliance; the Incident Command System for Industrial Control Systems, or ICS4ICS; the U.S. Cybersecurity and Infrastructure Security Agency; and incident response teams from more than 50 companies.

The program will help identify qualified first responders who can participate in a national response to a cyberattack, such as restoring the power grid, says Megan Samford, ISAGCA advisory board chairperson and ICS4ICS leader.

This announcement follows a string of recent cyber incidents - including the REvil ransomware attack on remote management software vendor Kaseya, the Colonial Pipeline attack and the SolarWinds supply chain attack.

'An Important Milestone'

Applying FEMA's framework to cybersecurity will help ensure first responders rely on common terminology and resources and can scale to handle incidents of all sizes - including nation-state offensives or attacks on complex supply chains, backers say.

"Credentialing cybersecurity first responders is an important milestone in this valuable public-private partnership" designed to identify qualified professionals to voluntarily assist with the response to cyber incidents beyond their own enterprises, says Samford, the vice president and chief product security officer of Schneider Electric's energy management business.

The credentialing program, managed by a formal committee within ICS4ICS, involves having a panel of subject matter experts review candidates' qualifications, including formal training and proven incident response experience.

CISA will build response plan templates, formal tabletop exercises and ransomware guides that first responders can use in a crisis, Samford says.

'Mobilizing the Troops'

Because 85% of the United States' critical infrastructure is maintained by the private sector, cybersecurity pros at enterprises must play a critical role in responses to cyber incidents, she says.

"This is about mobilizing the troops," says Samford, whose background includes emergency management for the commonwealth of Virginia. The goal, she adds, is to go far beyond today's incident response approach that "might include small groups of well-intentioned people that are [largely] unorganized."

First Four Credentialed

In addition to Samford, the inaugural round of credentialing recognized three other cybersecurity experts, who will help vet future applicants:

  • Mark Bristow, branch chief of cyber defense coordination at CISA: His 15-year career within U.S. government cybersecurity agencies includes responses to Ukraine cyberattacks and attempts by Russian government hackers to intrude into energy equities.
  • Neal Gay, senior manager of managed defense/industrial control systems at FireEye: A former U.S. government official, he leads FireEye's Managed Defense for OT SOC, delivering threat detection, asset modeling and rapid response.
  • Brian Wisniewski, U.S. Army Reserve: He has more than 25 years of experience leading teams in cybersecurity, operational technology, cyberthreat intelligence and policy development.

The program is open to those who work in the public and private sectors who want to take part in a "multilateral preparedness scheme for responding to cyber incidents," backers say.

By participating in the first responder initiative, security professionals can gain a better understanding of the "common language" around incident response, according to Samford.

Those interested in the credentialing program can contact the ISA Global Cybersecurity Alliance for more information.

About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as, and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.