So much of cyber security is about technicalities, and seldom about workplace psychology. That’s as true of this week’s annual Black Hat Europe conference, online and in London; where titles of talks have included the intriguing ‘how your e-book might be reading you’; VPN exploits, ransomware, cloud account hacking, hacked databases of Azure customers, and so on.
Yet besides the technical containing of a threat, security teams have to avoid finger-pointing in a crisis, and take the time for relationships. So the recent conference heard from a pair of speakers. They were Americans: Dr David Shore, of LETS; alongside Mark Orlando, 20 years in (cyber) security operation centres (SOCs) and incident response, and co-founder and CEO of Bionic Cyber.
Their subject: building better CSIRTs by using behavioural psychology.
Orlando spoke of SOC experience; of going into a new team, or setting one up; resources are finite, and you need to make difficult decisions. Customers are demanding, and in the midst of big business changes. You have to make a SOC better, and you are the ‘expert’. The customer does not know the ins and outs of cyber incident response; you are the ones to make it happen.
In that SOC team, you have a few key experts, that the rest of the team naturally falls into line behind. You identify intrusions, respond quickly, and have some short-term wins. That ‘A team’ of experts however gets tired of doing most of the technical work; they feel frustrated, burned out. They look around for other jobs, and eventually they will leave. When they do, ‘your capability craters’. When those few team members go, so does a lot of your expertise walk out of the door.
Orlando listed four problems to address. First: ‘the cyber hero problem in security’. Most teams are over-reliant on a few key people to repeatedly save the day; despite that fact that SOCs have resources poured into them, in terms of staff, tools and processes. Second comes a teamwork problem. A lot of training in SOCs is focused on technical processes only; there’s a lot of ignorance about the social and behavioural sides of cyber incident response. Third: “We are also trying to address the fire fighting problem. We constantly need to adapt in the middle of a crisis.” In other words, while trying to build a sense of teamwork, and make relationships with other teams, and know when to approach them – the SOC is ‘fighting the fire’ of cyber attacks. Lastly: the ‘lone wolf problem’, of very talented SOC analysts, who are motivated and incentivised to do the work – on their own, without reaching out to others. These make for ineffective teams; and that staff turnover means any gains get lost. A lot of the problems have arisen by default; info-security training – about coding, testing, and investigating – is done alone. Not surprising that people are ego-centric. The need then, is to develop team-work, rather than task-work. How to make a SOC not only competent, but make its members feel that they belong, that they can speak up and be heard, that a SOC’s success is their success? Orlando quoted the organisational thinker Peter Drucker on the difference between managers and leaders; that managers focus on doing things right (the technical infosec stuff), and leaders focus on doing the right thing.
Also identified in the pair’s research – funded by the United States Department of Homeland Security (DHS) among others – is that ‘complex problems’ need multi-team systems: cyber engineers, forensics, monitoring, maybe legal. The men talked through a ‘5c model’ to apply to your own SOC and work; and ‘micro-skills’ such as trust in workmates, so that SOC staff know when to apply such skills such as sharing information (and knowing when to) and when discussing how to solve a problem, someone acting as a devil’s advocate rather than everyone sharing what they know already. These new behaviours have to become a habit; such learning cannot happen during a crisis.
As the two men set out, success in a SOC is about much more than the technical side of finding intruders by leaning on the people with experience – at the expense of those not as confident, not the loudest voice in the room. Orlando spoke from his own experience of setting up a high-pressure, 24-7 SOC. Besides that project, the SOC was having to do CSIRT (computer security incident response team) work, and learn who to talk with outside the SOC, and when; and when a job just needed to be done. How to know that the team – of smart people in their own fields – was getting the job done? How to set goals, and metrics, and be transparent about them, so that SOC members could feel part of them? How to know what details to share in a crisis, and what happens if things get in a muddle? A SOC may usefully draw on a wiki – a repository of knowledge – checklists and processes, that inform the SOC’s ticketing, its case management. As Orlando put it: “We often update our software, but rarely our teamwork.”
Visit https://www.letswecan.com/.
Further reading at the Bionic Cyber blog.
