Incident Response Teams are, as the name indicates, responsive. Often they will try to provide whatever services their constituency asks for, or seems to need. However over time that can result in a mismatch between what the team offers and what its resources, capabilities and authority can actually deliver. That leads frustration, both among disappointed customers and among team members who know they are not delivering the best they could. And, as Vilius Benetis asked at the FIRST conference “do their eyes shine with passion?”.
He was presenting (video) a report by ENISA that, although titled “How to set up CSIRT and SOC”, can also help existing teams move to a more consistent and satisfying state. Critically, this adds a feedback loop to the design/implement/operate sequence that many teams – more or less formally – adopt. An “improve” stage considers the results of “operate” and how “design” might be changed to deliver better outcomes for the team and its constituency. This might involve changes to the CSIRT’s mandate; the services it offers; its processes and workflows; skills and training; facilities; technologies, including automation; cooperation; information security management plan; or implementation requirements. Budgets and other resources may mean it’s only possible to deliver a subset of these ideas, but those selected should be developed into improvement initiatives and detailed design changes. If resources are limited, this might include reducing the range of services offered by the team, to improve the performance of those that are most important.
These feedback reviews should take place regularly, ideally annually: developing relevant metrics for CSIRT performance will ensure consistent reviews as well as guiding operational activities. The presentation identified several sources that can be used, including:
- SIM3 model: for assessing/benchmarking the current maturity of your CSIRT and the required future status
- CSIRT services framework: for discussions of key services relevant to the constituency
- (draft) CSIRT roles and competences: for discussions of what will be needed to deliver those services
The objective of this process is to improve satisfaction, both within the team and among its constituents. So communicating and celebrating improvement is an important part of that. Shiny-eyed customers may be too much to hope for, but at least we should be enthusing our team members.
