It is no surprise that incident response activities are often extremely stressful and resource-intensive, which negatively impacts organizations. Organizational leaders frequently find themselves unprepared for the mental, physical and time demands of incident response, all on top of maintaining day-to-day operations. Third-party incident commanders can ensure that security incident response activities are more efficient, effective, and successful for organizations facing material security incidents. Their primary role is to manage all aspects of the incident response including assessing the situation, developing a plan of action, as well as governing and overseeing its execution.
It is sometimes difficult for chief security officers (CSOs) and/or leaders of organizations to embrace the idea of leveraging third-party incident commanders to lead security incident response. Often it is such individuals’ belief that it is their responsibility to lead incident response efforts. While this may be true, leaders of organizations are often disadvantaged by the fact that they are emotionally attached to the organizations they support, which can lead to poor decision making and diminished capacity.
Third-party incident commanders have the advantage of independence and can maintain a degree of separation from the organization, which allows them to be less emotionally driven and more decisive throughout the security incident response. During the initial 72 hours of incident response, incident commanders play a crucial role in maintaining calm, focus, and clarity. Their decisions during this critical and emotionally challenging period significantly impact the entire process. There are five key benefits of using a third-party incident commander as part of a security incident response:
1. Third-party incident commanders can orchestrate and govern incident response resources more effectively.
A significant component of any successful security incident response is the ability to identify, engage, orchestrate, and govern supporting resources. If an organization does not have a comprehensive information risk and security program or extensive security, compliance, legal, and communication resources readily available, it will be at a significant disadvantage during an incident response activity, even if it has a documented incident response plan. Third-party incident commanders play a critical role in incident response, offering expert guidance and support to organizations. This guidance comes in the form of quickly identifying, vetting, and engaging both internal and external resources that are required to support incident response.
The third-party incident commander also establishes a roadmap, register of activities, and the required working groups and work streams necessary for incident response. When completed, they can task the appropriate service providers, teams, and individuals accordingly. They also develop supporting governing metrics, goals, and objectives, to ensure that the response activities progress as efficiently as possible. This enables all appropriate and expected actions and activities to be orchestrated and completed comprehensively, accurately, and in a manner that supports all aspects of incident response. The third-party incident commander also facilitates appropriate data sharing amongst working groups and stakeholders to further support response efforts.
2. Third-party incident commanders can help organizations develop and constantly improve security incident response plans and capabilities.
Third-party incident commanders should be engaged proactively with organizations during the development and maintenance of their incident response plans, instead of only being engaged at the time of an actual security incident. While this is not always possible, these individuals must have an ongoing relationship with the organization so that they can understand the business activities, key sensitivities, resources and capabilities, and ongoing risk appetite of the organization. Ideally, these individuals develop and participate in tabletop exercises and other testing activities associated with incident response plans. This not only helps the commander better understand the strengths and weaknesses of response plans, but also demonstrates their value as an incident commander, helps organizations enhance and improve their incident response plans, and maintains a state of readiness that will allow the organization to be more effective when tasked with an actual security incident.
Third-party incident commanders, by nature of their roles and positions, are typically senior-level consultants who specialize in the development and execution of incident response plans amongst other activities. They often have extensive knowledge of legal and regulatory requirements, crisis communications, logistics and planning, and technical skills. They also have the benefit of working with multiple organizations and can bring invaluable experience and lessons learned from being involved in both good and bad incident response plan development and execution. These diverse perspectives and experiences can be invaluable to organizations, supercharging the effectiveness of their incident response plan development and testing.
3. Third-party incident commanders centralize communications and data distribution to leadership and stakeholders.
Incident response activities often include multiple workstreams acting simultaneously with significant data gathering and processing, legal and compliance analysis, forensic and/or operational investigative activities, and insight into organizational operations. Organizational leaders and stakeholders must facilitate regular communication to gather and process information crucial for decision making. However, they often face the challenge of becoming overwhelmed by updates from multiple groups and individuals such as company leadership, partners, employees, and customers. To mitigate this, third-party incident commanders can establish central information gathering, processing, and distribution methods and practices during incident response. This helps ensure consistent, high-integrity, compartmentalized communication with organizational leaders and stakeholders as well as other interested parties when appropriate.
4. Third-party incident commanders can adjust security incident response plans as conditions and requirements of the response evolve.
The only constant in incident response is change. Effective incident response plans provide guidelines, data points, frameworks, and playbooks to address security incidents. However, these plans often need to be adjusted as the response activity evolves to adapt to the conditions and situations at hand. A third-party incident commander adapts plans in real time to ensure effective responses across all resources and workstreams.
5. Third-party incident commanders can provide independent perspective and knowledge throughout the incident response activity.
Incident response activities typically involve several different resource groups (both internal and external) such as service providers, forensic investigators, legal, communications, compliance, technology, operations, and others who have strong views and opinions about how the response should proceed and what actions should be taken. These views are often at odds with one another and can impede the progress of incident response as individual points of view and interests are discussed and debated.
Third-party incident commanders bring independent perspectives and knowledge to ensure that all interests are considered and evaluated to help develop an informed plan of action that is based on evidence and expert experience instead of emotion and individual interests and perspectives. Essentially, the third-party incident commander becomes the trusted advisor to the impacted organization’s leadership team and stakeholders. They process internal information, augmenting it with their insights to provide holistic, well-informed, evidence-supported plans of action. This level of insight can be applied to all phases of the incident response from the initial contain and protect stage through the post-response review for lessons learned and opportunities for improvement.
An invaluable element of incident response
Many organizations are not aware of the value of using a third-party incident commander as part of their incident response programs until they are faced with the reality of a security incident that causes material organizational impacts. The benefits of perspective, knowledge, experience, and independence that third-party incident commanders provide are invaluable to incident response. When third-party incident commanders are properly engaged, organizations can see increased productivity, decreased organizational impacts, and more efficient outcomes for incident response activities.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CDPSE, CISSP, ISSAP, ISSMP
Is the president of IP Architects LLC.