Jan 19 2021

Tips for Staffing and Training a Cyber Incident Response Team

Consider these strategies to help higher education IT leaders build strong cybersecurity operations teams.

Of all the cybersecurity solutions created to prevent bad actors from breaching higher education, it’s the people on the incident response teams who are most vital.

DarkReading and Immersive Labs recently hosted a webinar on best practices for managing staffing and training for incident response teams. Gal Shpantzer, a security consultant for large corporations as well as universities and nonprofits, was a primary presenter.

“We need to optimize our defenses based on real-world attacks and threats and prepare our teams in terms of communications, playbooks and documentation,” says Shpantzer in the webinar, pointing to the 2015 and 2016 cyberattacks on the Democratic National Committee as an example. In this high-profile incident, the FBI had detected the Russian hackers and even alerted the IT contractor in charge of security at the DNC multiple times. But that’s where a communication breakdown occurred.

A DNC tech-support contractor was tipped off by a phone call from an FBI agent that at least one of its computer systems had been hacked. The contractor “did not look too hard” at the problem even after the agent called back repeatedly — “in part because he wasn’t certain the caller was a real FBI agent and not an imposter,” according to The New York Times.

Shpantzer uses this example to challenge higher education leaders to ask themselves how they would handle a similar situation.

“What would your staff do if you got an external notification like this? Who would they contact? No amount of technology will help you with this,” he says.

While this particular attack occurred in 2016, the risks have only increased since then. To build a strong and resilient security operations team, speakers on the webinar encourage the following actions:

3 Tips For Building a Strong Cybersecurity Operations Team

1. Build Clear Communication Strategies

Organizations should establish internal and external communication pathways for passing on information regarding breaches. Higher education security teams need to know when to contact the university president and other top administrators, as well as other IT personnel, contractors and non-IT related employees.

For external audiences, IT security teams need clear protocols that define when and how to inform external counsel, students and the public. As an administrative backup, these instructions should be printed on paper and distributed to key stakeholders.

LEARN MORE: Get the Defense-in-Depth strategy checklist.

2. Practice Detecting and Responding to Threats

The Center for Internet Security offers free exercises in which teams can practice responding to scenarios such as malware infections and cloud infiltrations. Running through these incident scenarios once a month can help a security team stay updated on new threats. It can also show your organization where you might have gaps.

“Study those situations, work with people and develop workstreams to build a response,” Shpantzer says. “Who knows how to detect the threat? Who knows who to call? Who makes the business decisions?”

MORE ON EDTECH: Learn why purple teams matter for higher ed cybersecurity.

3. Develop and Provide Resources for Your Team

The MITRE Corporation, a nonprofit organization that operates federally funded R&D centers on behalf of state, local and federal governments, recommends ensuring that you have the optimal number of analysts needed to meet your specific organization’s security operations center demands. It also emphasizes that opportunities and training are key for efficient and resilient teams.

For example, use creative analysts to write code that can automate security activities. Those are the staff members you want to hire and keep. “The whole idea of a CV and a skill set is not what we’re looking for anymore,” says Max Vetter, Immersive Labs’ Chief Cyber Officer, in the webinar. “It’s attributes like perseverance.”

amtitus/DigitalVision Vectors/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT