By Seth Jaffe.
CNN’s Danielle Wiener-Bronner penned an article recently chronicling Equifax’s data breach missteps. One statement in particular caught my attention as being sage wisdom, and worth fleshing out: “Too many decision makers yield a slow response, which results in negative attention.”
The importance of an empowered incident response director cannot be understated. Consistent with our theme on incident response, it makes sense to look to NASA’s Mission Control framework for guidance.
Our inaugural post on incident response concluded that a shift toward executable incident response plans is warranted and the follow-up article laid out reasons for decoupling procedures from the overarching incident response policy document, such that any team member can pick up the plan and get the ball rolling via step-by-step instructions. Executing a plan, however, merits coordination from each participating discipline (I refer to various teams as “disciplines,” as is the custom in NASA’s Mission Control). This coordination requires practiced internal communication protocols, which will be the focus of a subsequent post. Even with exceptional communication between disciplines, leadership is required.
Consider the players in an enterprise-wide cyber security incident: “Infosec” is working with a security analyst to determine what happened and what was lost, coordinating with operations to secure the network, and potentially working with a forensics specialist. “Legal” is responsible for engaging outside vendors, coordinating with all disciplines to protect the attorney-client privilege and ensure external communications adhere to company policies, and, if necessary, reviewing data breach laws to determine company obligations. The Public Relations discipline is working with Infosec, Legal, the affected groups, and management to fashion external communications. If the incident affected employee information, Human Resources is at the table as well. Depending on how an incident response program is put together, other disciplines might include Corporate Security, Insurance, Audit, Finance, Call Center, Social Media, not to mention the inner workings of Infosec’s team and its partnership with IT. (Of course, not all of these disciplines should interact with each other directly—NASA uses the concept of back rooms to create a hierarchy. Take a look at the graphic below for an example of how it might work in the average incident response program.) On top of that, larger companies will need to coordinate with other crisis management, business continuity, and disaster recovery programs.
With that many disciplines in a room, how does a team keep order? By installing a Director. The NASA Flight Director hails back to the dawn of the manned space program, when Chris Kraft and Gene Kranz blazed a trail (many are familiar with Gene Kranz’s character in Apollo 13). The modern Flight Director is not much different, exhibiting a number of qualities that can be borrowed by an incident response program.
There are a couple of questions worth asking in consideration of incident response directors: where do they come from, where do they go once selected, and what do they do when they are there? First, it makes sense to pull the Director from the active body of certified personnel. In NASA’s case, Flight Directors usually hail from the flight controller disciplines. This ensures that the new Director at least has a basic understanding of what the team does. In addition, she knows the team members and, hopefully, has their trust or at least a modicum of respect.
Second—and I think this is extremely important—when selected as a Director, the candidate no longer works in her previous discipline. That’s a major departure, in my experience, from the way most incident response programs fashion their teams. But it is an elegant solution that solves a number of problems most programs don’t know they have. For example, if the Director remains tied to one discipline, the others may suffer under bias. Likewise, one of the Director’s main responsibilities is to maintain the big picture, but if she is more focused on the activities of her original discipline, that may impact her awareness.
“The gravitas of the overall situation may sometimes be lost on individual discipline team members who are preoccupied with their specific roles.”
Another reason NASA created a separate Flight Director office is for training purposes. While the Director need not be a subject matter expert in all disciplines, she must have a solid understanding of the roles and responsibilities of each. NASA takes each new Flight Director through a rigorous training program, introducing the basics of each core discipline (on the Space Station, for example, that would be environmental, power, communications, attitude control, scheduling), followed by a phase where they learn mission management skills, culminating in simulations where they act as Flight Director under emergency conditions. Then they become certified as a Flight Director, sit in the coveted chair in MCC, and ultimately become responsible for six souls and a multi-billion-dollar spacecraft. Yes, the pressure is high, but that is something Flight Directors accept and spend a good deal of time considering. The gravitas of the overall situation may sometimes be lost on individual discipline team members who are preoccupied with their specific roles. In the age where a botched response can reduce the value of a company by 30% overnight and possibly lead to bankruptcy, incident response teams can no longer afford to neglect this critical part of the team.
Diversity of the Director office is the last aspect worth mentioning in this article. By selecting multiple Directors from different disciplines, the chances of discipline bias are reduced, and Directors share with each other the issues of each discipline.
Consider whether your incident response team would perform better under leadership from a team of dedicated incident response directors. As with all incident response teams, membership need not be a full time job, but when they do put their incident response hats on, having a group focused on the big picture may well put your company ahead of a very costly curve.
Subsequent posts will drill down into the types of training that Incident Response Directors should receive. We will also consider methods for assessing a team and communicating internally in the face of an event. Flight Directors receive guidance on how to interface with the directors of other centers (i.e. Russian MCC, European MCC, Japanese MCC, Marshall, etc.), thus we will consider how Incident Response Directors, in kind, can interface with their Emergency Management, Business Continuity, and Disaster Recovery counterparts.
Until then, feel free to review other posts on using the NASA framework as a guide to building your incident response team. And follow me on Twitter at @sethjaffe or on LinkedIn at https://www.linkedin.com/in/sethejaffe/.