The Evolution of Incident ResponseAs the Perimeter Expands, New Focus and Skills Required
A rapidly evolving threat landscape calls for the next generation of information security professionals to have strong technical and communications skills. Security leaders highlight their top requirements.
Matthew Speare of M&T Bank says the recent distributed-denial-of-service attacks against financial institutions reflect the need for individuals with highly technical skills sets, but who can also take a business management approach to handling incidents.
"You want those that not only have a high technical skill set, but can be methodical, be able to analyze a problem and then make informed decisions," Speare, senior vice president of information technology at M&T Bank, says in an interview with Information Security Media Group [transcript below].
Elayne Starkey, CSO for the state of Delaware, says enhanced communication is critical. "The ability to take what's going on and to understand the technical jargon in a way that you can then turn around and describe in English ... is a real art," she explains.
And in order to achieve those next-level skills, information security leaders need to be constantly engaging and learning. Christopher Paidhrin of PeaceHealth Southwest Medical Center recommends networking. "We need to go to the mentors, to the knowledge stores, to those organizations that have done [this] a hundred or a thousand times before us," the IT security compliance officer says. "There's no reason ... to reinvent wheels."
Having a broad range of experience in different areas doesn't hurt either, Starkey says. "Don't narrow yourself just to telecom, or to [programming]," she explains. "Broaden yourself with different kinds of jobs and different types of responsibilities."
In this fourth and final installment of this interview series, the three security leaders discuss:
- Incident response gaps;
- Skills they need to add to their groups;
- Advice for the next generation of security leaders.
About the Participants:
Christopher Paidhrin is IT security compliance officer at PeaceHealth Southwest Medical Center, where he has worked for 12 years. Earlier, he worked in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.
Matthew Speare is senior vice president, information technology at M&T Bank. He is responsible for developing and sustaining an information risk program that protects the personal information of millions of customers of M & T Bank, the nation's 17th largest bank holding company, based in Buffalo, New York.
Elayne Starkey is CSO for the State of Delaware - a role she's held for seven years. She is responsible for the enterprisewide protection of information assets from high-consequence events, including cyber and physical terrorism and natural disasters.
TOM FIELD: Whether it be from cybercriminals, hacktivists or insiders, we all have seen higher profile incidents that we've had to respond to. I'd like to hear how this changes your organizations. Christopher, I want to ask this first question of you. How has the changing threat landscape impacted your organization's approach to incident response?
CHRISTOPHER PAIDHRIN: From a governance, risk and compliance perspective, I don't think it's changed how we've approached because we have a fairly mature security program, a secure model and a robust and mature incident response plan, but we have had to rapidly address the additional elements that have fallen outside of our old model, our old risk and security posture. The deeper maturization I mentioned, the consumerization of IT, the push from the various stakeholders and the drivers to open up what used to be a well-defined space now is much broader, much more vulnerable, [with] many more threat agents out there.
Our focus has been on do what we do best. We take our unified compliance/risk framework and we leverage it to say, "Here's the new mobile landscape. Let's make sure we have all the controls in place to address it." Where we don't have controls, we say that is outside of our scope of service. We can't deliver that yet. We'll work on it, prioritize it and get to it. We have a robust SEIM solution, security event and incident management solution, that gives us an eye in the sky to all devices, all traffic in our environments. Without that, we'd be operating blind. We would be reactively doing risk analysis or assessments.
We have a very strong and established protocol with policies. We set expectations on what's possible, what's doable and how we respond - as Matt had said - pretty severely. The consequences for stepping outside of accepted practice is very severe and the HIPAA events that have happened over the last couple of years have shown that many of our peer organizations have zero or low-tolerance for that kind of infraction. We follow our incident response procedure very rigorously. We have engagement from human resources and other areas and they all align with one vision in mind, and that's secured access and availability of information to the right people at the right time to the right degree.
FIELD: Elayne and Matt, I would love to hear from you as well. How has the changing threat landscape impacted your own organization's approach to incident response?
ELAYNE STARKEY: We're a lot like where Chris is in terms of a reasonably mature incident response program in place. We believe that practice makes perfect. In that theme, we run a large-scale simulation of a broad-scale cyberattack on our infrastructure. We do that every year. We've been doing it for eight consecutive years, and it's been a very good and useful way to validate the plans, to fine-tune the plan, and it continues to get refreshed every time we do that. There are sophisticated threats out there that are coming out and that's what drives the scenarios that are used in those exercises.
We also run annual disaster-recovery exercises. We simulate major interruptions on our primary data centers, and most recently we had good success in getting our state agency partners, other state organizations beyond just the IT group where I sit, to run co-op exercises, and to help them understand it's not all about the technology. It's about resuming your critical business function in the event of some type of disaster. We've had some good luck in helping them to practice what their response would be in situations like that. We also take advantage of a lot of partnerships with other governments and the private sector in terms of monitoring. The good news is that we're not in this alone, so we don't all have to implement our own monitoring systems and things like that. We can take advantage of the good work that's being done with our partners to join forces against the threat.
MATTHEW SPEARE: The way that we look at it is we're very similar in that, fortunately or unfortunately, we have a pretty mature incident management response system that was forged out of the need to do so. And we continue to improve that every year. [With] some of the new challenges that we all face, what it does is it gives you new enhanced scenarios to practice from, hopefully not for real. But at the same time, I think that every time that you think something or you see something occurring in the news, you then walk through with the incident management team as to how would you respond given your playbook. With how we typically respond to these, do they give us the opportunity to modify the approach and just be better at it?
Top Skills Needed
FIELD: Matt, what do you find to be the key skills that you need in your organization now to respond to security incidents? I'm thinking in particular about the way you need to reach out to customers even to talk to them about some of the DDoS threats that we've seen.
SPEARE: I put it in two different buckets in that, one, you need a high level of technical skill sets to be able to deal with the technical threat. You want those that not only have a high technical skill set, but can be methodical, be able to analyze a problem, and then make informed decisions based upon that, and do it within the constraints of your change management process. You don't want them going in, troubleshooting and modifying configurations. But at the same time, you don't want them to have to wait two days to come up with a solution.
The other bucket would be the managerial. It's how do you engage with the areas of your organization that are affected and be able to communicate, both internally down to employees that are going to be the frontline with customers and what they should be telling customers, as well as up through senior management and your corporate communications.
Ultimately, as we've seen, when these things have been happening with FIs over the last six months, the media gets involved as well, so you want to have a media plan on how you're going to be able to describe what's occurring and make it in a manner that will make sense to your consumer base, because, unfortunately, the one piece that has been missed is when the media has been reporting on the denial-of-service, they leave it with that it's an attack. Certainly in the broad sense you can say that, but attack is a very different connotation than the prevention of real consumers from being able to access bank systems. It's not that their accounts were compromised. However, they could certainly, from the media spin on that, come to that conclusion on their own, so you want to be able to have a very robust message that could be presented to your customers.
FIELD: Elayne and Christopher, I'd ask the same of you. What are the skills that you find you increasingly need in your organization in terms of incident response?
STARKEY: I think Matt covered it really well. He's exactly right. You need the technical skills. You need the forensic skills to be able to get to the bottom of the incident, and critical thinking skills. Some of our best technicians are the ones that are just generally suspicious and skeptical by nature. Those are the ones that are really valuable.
Regarding the media and even just communicating what's going on to senior management - in my case to the Governor's office or to other leadership - the people and skills are just more important than they've ever been before. The ability to take what's going on and to understand the technical jargon in a way that you can then turn around and describe it in English to a non-technical person and cut through all the techno babble, there's a real art to that and that's an especially critical skill.
PAIDHRIN: Beautifully said, and I concur completely with Matt and Elayne. Our moniker, our label for the skill set that we're looking for, is a fully-engaged knowledge worker. That means that they've got a high degree of mindfulness, attentiveness, and that they have those ubiquitous, excellent, communication skills [and have] demonstrated excellent communication skills. It's really, really hard to learn those on the job when your job is stressful. You need to come with that capacity, the capabilities. The engagement means that our ideal candidates and our future colleagues are going to be results-and-detail-oriented, but not in a general sense. We want them to add value. That's the highest priority so that everyday they come in and they contribute.
Advice to Next-Gen InfoSec Leaders
FIELD: I've got a final question for each of you, and Christopher I'll toss this to you first. If you could offer advice, what would be the single biggest piece of advice you would offer the next generation of information-security leaders?
PAIDHRIN: That would be to network with peers and find a mentor to learn best practices. There's no reason in our highly-sophisticated, security-oriented domain to reinvent wheels. We need to go to the mentors, to the knowledge stores, to those organizations that have done it a hundred or a thousand times before us. We need to find and adopt best practices, and I found that through networking online, through local security, compliance and auditing groups, networking is the fastest way to bring the community of security providers together and share what works and doesn't work, because you only want to do what works.
Other than networking with peers for best practices I would say, in the words of Henry David Thoreau, "simplify, simplify, simplify," because given the complexities of the challenges we face, you've got to get things down to a level where you get things done and not get lost in the mire of what could be done.
FIELD: Elayne, I didn't attend to do this to you, but I'm going to ask you to follow-up on Henry David Thoreau.
STARKEY: It's an exciting time for the next generation for sure. It's exciting for us, but it's more exciting when you kind of look ahead. There are lots of different kinds of experience. Don't narrow yourself just to a telecom kind of experience, or just become a programmer. Try to lift up and get good at each of those, but try to pull up and broaden yourself with different kinds of jobs and different types of responsibilities. A former employer of mine used to call it "getting your ticket punched." They encourage people to not stay in one business unit too long, but to keep an eye out for different opportunities in different areas, and some of them might be a stretch based on current skills, but in the long run it kind of gives you a more holistic view.
The training, formal education and certifications are really important, but so is hands-on, in-the-trenches experience. As I mentioned before, the people skills have never been more important than ever for technical folks especially. There was a time when early in my career people could get by with just simply strong technical skills, and they may have absolutely no social skills at all, or they kind of hid in the corner of an office or a data center and did their thing and did great work. But I think those days are gone. The ability to communicate, work on teams, work together and be able to communicate technical things in plain English has never been more important.
FIELD: Matt, I'll give you the last words here - your advice for the next generation of leaders?
SPEARE: Both Elayne and Chris's ideas and recommendations are very good. The one that I would add is that it's imperative for any information-security professional to understand the business processes that they're supporting, because what you find is that the vulnerability gaps that allow for there to be fraudulent attempts against different types of business transactions are due to the gaps in the way that we have engineered processes. There are vulnerabilities that are just as important to identify as any technology implementation that you would do. Understand the business that you're supporting because that's where you can have one of the greatest gains in this space.