Are you primed for success?
Why teaming successfully with your cybersecurity services provider is critical
Henry Ford famously said, “Coming together is a beginning. Keeping together is progress. Working together is success.” This couldn’t be truer when it comes to your cybersecurity services provider. Easier said than done though considering that collaboration can be very challenging even between teams within the same company due to cultural, leadership, and various other reasons.
It’s never pleasant to hear the customer security and IT teams expressing frustrations with how their provider just “redirects” security incidents its way and provides “no value”. While the provider team’s demoralized by their workload and lack of coordination with the customer team, setting up a downward spiral that very few teams can survive.
As someone who’s spent many years working on both the customer and the provider sides, I’ve viscerally experienced the difficulties of teaming effectively across organizational boundaries. Fortunately, I’ve also learned what makes for strong collaboration to make working in cybersecurity a little easier.
What are the key actions that a customer can take to collaborate effectively with their cybersecurity services provider?
1. Assign the right individual(s) to work with your cybersecurity provider.
Every organization has security and IT teams with different skills, size, and working styles. It’s important to take these factors into consideration as you structure the team responsible for working daily with your cybersecurity services provider.
Even though the provider team’s performing security operations, it can’t work in complete isolation from the customer’s teams. You need to assign an individual either from security or IT to ensure that these team interactions are productive when cybersecurity incidents or breaches arise. At CyberMSI, we call this individual the IR (Incident Response) Coordinator. In smaller organizations, a single person is likely to fulfill this function in addition to wearing other hats. That’s fine if this individual has the needed bandwidth during spike periods.
What attributes does the IR Coordinator need? Someone who’s comfortable working under stressful situations, communicates effectively, enjoys strong executive support and can quickly marshal participation from IT, business and other support teams, including HR and Legal. The IR Coordinator works very closely with the cybersecurity provider’s team and manages all IR/breach efforts on behalf of the customer. You need a steady hand at the helm with this role, so choose wisely.
2. Ensure your cybersecurity services provider has a defined and responsive team structure.
There’s a ton of content out there that talks about best practices for staffing a SOC (Security Operations Center), and most of them talk about at least two different tiers of analysts, team leads, an IR team, SOC managers and various other roles. You can see why traditional MSSP and MDR may not be very responsive.
At CyberMSI, our SOC teams operate with the model based on DevOps, which calls for eliminating unnecessary hand-offs/boundaries, driving individual accountability, and increasing execution speed along with quality through automation. There’s a reason why DevOps’ upending the traditional IT delivery model.
For that reason, our team structure has the following three key roles to which we assign resources during customer onboarding and continually update as operational requirements evolve.
The cyber analyst collects and analyzes the alerts for the incident under investigation, assigns severity classification, determines root cause, documents incident details, assigns remediation, identifies and executes incident containment and response steps.
If it’s a high severity incident or a breach, we also have the lead cyber analyst review the incident analysis and, if needed, work with the cyber analyst to execute containment and mitigation steps. The goal of the lead cyber analyst is to speed up the right response activities from the get-go, not serve as a gate check.
Lastly, the SOC team manager oversees the activities of cyber analysts to ensure that the required resources are available and meeting customer needs.
3. Maintain communication channels under all situations.
You need to be able to collaborate without interruption with your cybersecurity provider, internal teams, and any external parties such as an IT support provider at all times.
In addition to the standard incident management and IT ticketing, you may want to consider using a collaboration platform that unifies messaging, emails, calendars, files, etc. across internal and external teams so that everyone can easily access the information needed in one place.
As part of standard operating procedures, each team member at CyberMSI has hard copies of the contact information including cell phones and personal email addresses for the entire team as well as for the customer’s point of contacts because it’s possible that we may not have access to this information during an incident such as a wide-spread ransomware attack.
We also setup secure, enterprise file sharing service for all our customers in case there’s failure of normal communication channels to disseminate and share critical information instead of using everyone’s personal email accounts, putting sensitive information at risk.
I leave you with 3 questions to consider as you seek to improve teaming with your cybersecurity services provider:
- Do people on your team responsible for liaising with the cybersecurity provider understand how to navigate successfully within your organization?
- Do you’ve information security policies to help guide and manage the incident management process?
- Do the team members on both sides work well as a high performing unit?