As the cyber-threat landscape evolves and data breaches become more common, incident response has become more critical than ever. A CSIRT (Computer Security Incident Response Team) is a body of people assigned with the responsibility of responding to and minimizing the impact of any incidents that affect the organization. This team requires a strong and versatile leader.
Here we discuss the roles and competencies required within the role of the CSIRT Team Leader.
CSIRT team leaders are primarily involved in strategic decisions – responsible for the operation, budget and strategic direction within the company. They also give management advice on security issues, current threats and issues related to meeting compliance standards.
A strong working relationship between the team leader and the rest of the organization boosts security productivity.
Security should be a top priority within the organization, and it would be a good idea for the head of information security to be an essential member of the executive team. As the role for information security develops, the team leader needs to work more closely with other leaders.
“If security is done well, nobody sees it, nobody values it. The board needs to value the work. Show leadership on how you are improving security.” – Jim Byrge, Valvoline
Jim Byrge went so far as to appoint the company’s CISO as the CSIRT team leader. This allows for unrestricted and rapid communication all the way up to the board level. However, in many companies, the CISO has so many responsibilities that they would not have sufficient time to respond adequately to the demands of heading the CSIRT team.
Knowing how to talk to the board is key – much of a team leader’s role involves management and advocating for security within company leadership. Educating, engaging and including other members of the CSIRT team who can attend these meetings should also be a consideration. The more the team leader can engage, the better prepared the company will be in the event of any incident.
The team leader is concerned with the continuously improving cyber resilience and therefore, the board needs to understand the value of the work in order to get the funding they need to support the infrastructure, software, headcount etc.
The knowledge of the team leader will be far reaching. They understand how the cybersecurity threat landscape is evolving and how that could affect the security risks facing the business. Knowledge of data loss and fraud prevention, identity and access management, investigation and forensics and program management are also key requirements.
CSIRT team leaders work proactively with their group in preparation to defend against any and all attacks. And if and when necessary, implementing a predefined incident response plan.
The team leader is responsible for selecting a CSIRT team which answers the specific requirements of their employer, within the company’s budgetary constraints and the limited availability of experienced incident responders. They need to ensure that the incident response team receives appropriate attention and training, a sustainable budget and has the authority to act quickly during a crisis.
Incident response is a critical business process that requires a skilled, specialized workforce that possesses years of experience in addition to harmonized, repeatable and scalable processes.
A team leader’s position is one of tremendous responsibility. However, it is important to consider that technical knowledge isn’t the only key requirement, and maybe not the most important. It involves management and advocating for security within company leadership. They are enforcers and enablers working to build a cybersecurity culture that contributes to their company’s unique business objectives. Speaking the language of the business and empowering the employees.
VMRay supports incident response every step of the way. Detect and respond to critical security incidents within minutes to prevent the spread of threats and limit their impact.