Can organizations do more to prepare their Security Incident Responders?

Add to my custom PDF

Lessons from the Strategic Corporal - Implications of Cyber Incident Response

The current challenge of Advance Persistent Threats (APTs) requires cyber incident handlers to make decisions every day that can have real strategic impact on companies. Yet, they are poorly equipped to make such strategic decisions. The mismatch between the strategic decision-making and communication models of companies and the real-world needs of cyber incident handlers is not sustainable.

Lemay, Leblanc and De Jesus build up an argument that cyber incident response is undergoing a shift in operating environment that is similar to that experienced by modern militaries. They believe that the solutions put forward by the military could be transferred to the cyber-security context, to resolve the strategic incident responder problem.

Military forces have increasingly been called upon for operations besides combat such as peacekeeping and providing humanitarian aid. Because the nature of operations can change drastically, in a very short time and require different responses in a small area, troops need to be equipped for the entire spectrum of operations. Further, the quick decisions made at the front line can have a big impact on overall strategy and the organisation as a whole. A stiff decision-making hierarchy and strict delineation of roles would make it difficult to operate effectively in this environment. The new reality is a frontline “Strategic Corporal” making decisions that consider operational, tactical and strategic realities, a task usually distributed vertically through the organisations’ structure.

Cyber security professionals also face dynamic and time critical decision-making scenarios securing company assets and operations. They are often operating within organizations that are vertically hierarchical and role restrictive, like a traditional military. The greater number of high impact incidents such as those involving APTs have increased the strategic impact of technical decisions. The extremely time sensitive nature of cyber security and the adversarial nature of the incident response process makes it impossible to wait for management input. Technical personnel also often have difficulties communicating the strategic implications of highly technical problems to management. In many ways, cyber incident handlers are thrust into the role of “Strategic Corporal” whether they are adequately prepared or not.

Cyber incident responders who make strategic decisions need to be well equipped to respond appropriately and in line with organizational strategy. Role specialization can hinder communication and consequently limit decision-making. The table below puts forward three solutions to counter the strategic incident responder problem.

Solutions for the Strategic Incident Responder Problems
Training Mission Command Decentralized Decision Making
  • Invest resources to train technical employees for them to gain real strategic understanding of the company’s business environment

  • Improve methods used by managers to communicate.

  • Instructions must be clear and open-ended. Employees must be able to adapt for the realization of the job to the reality of the ground
  • Reorganize decision making to a decentralized process, but keep the unity of purpose obtained through centralized command and control.

Cyber incident handlers need to be provided with the tools to tackle the challenges introduced by this strategic reality. The solutions put forward for similarly dynamic management environments – training, communication skills awareness, decentralised vision and purpose achieved through decentralized decision making – provide suitable avenues to make cyber incident responders ready to meet current challenges.

Cyber Incident handlers are making strategic decisions for your firm. Training, improved communication and decentralized decision-making structures will help them do it right.