Making CSIRTs (even) better

Incident Response Teams are, as the name indicates, responsive. Often they will try to provide whatever services their constituency asks for, or seems to need. However over time that can result in a mismatch between what the team offers and what its resources, capabilities and authority can actually deliver. That leads frustration, both among disappointed customers and among team members who know they are not delivering the best they could. And, as Vilius Benetis asked at the FIRST conference “do their eyes shine with passion?”.

He was presenting (video) a report by ENISA that, although titled “How to set up CSIRT and SOC”, can also help existing teams move to a more consistent and satisfying state. Critically, this adds a feedback loop to the design/implement/operate sequence that many teams – more or less formally – adopt. An “improve” stage considers the results of “operate” and how “design” might be changed to deliver better outcomes for the team and its constituency. This might involve changes to the CSIRT’s mandate; the services it offers; its processes and workflows; skills and training; facilities; technologies, including automation; cooperation; information security management plan; or implementation requirements. Budgets and other resources may mean it’s only possible to deliver a subset of these ideas, but those selected should be developed into improvement initiatives and detailed design changes. If resources are limited, this might include reducing the range of services offered by the team, to improve the performance of those that are most important.

These feedback reviews should take place regularly, ideally annually: developing relevant metrics for CSIRT performance will ensure consistent reviews as well as guiding operational activities. The presentation identified several sources that can be used, including:

The objective of this process is to improve satisfaction, both within the team and among its constituents. So communicating and celebrating improvement is an important part of that. Shiny-eyed customers may be too much to hope for, but at least we should be enthusing our team members.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *