Organizations should utilize behavioral psychology techniques to improve how computer security incident response teams (CSIRTs) operate, according to Mark Orlando, CEO of Bionic, and Daniel Shore, chief research officer of LeTS: Leadership & Effective Teamwork Strategies, during a session at Black Hat Europe 2021.
Orlando began by outlining the most significant teamwork issues seen in CSIRTs. These are:
- The superhero problem: an overreliance on a few key individuals for thought leadership
- The teamwork problem: too much focus on technical capabilities at the expense of working together internally and with other teams effectively
- The firefighting problem: constantly having to adapt and respond to crises, therefore losing time to think strategically
- The lone wolf problem: this is where personnel are motivated only to do their own work
At the heart of these problems is ‘ego-centrism,’ where attitudes of “I can do this on my own” are prevalent, according to Orlando. This is not the right approach in incident response, where “we are trying to solve some very difficult and complex problems.”
In addition, it is essential for CSIRTs to work with other parts of the organization, such as application teams and the business owner, to find a solution. “We don’t do what we do in a vacuum,” added Orlando.
Shore pointed out that ego-centrism arises from psychology – “as humans, we want to feel validated and that we are valuable,” he stated. However, regarding incident response, “it is no longer an option to work on your own and be most effective in that response.
The two speakers then shared details of research they had undertaken into teamwork within cybersecurity teams worldwide. Shore said they quickly realized that to drive interest in learning about teamwork in incident response, “you have to take a gamified approach to talking about the areas we want to work on.” The curriculum therefore has to be non-cybersecurity to ensure everyone is brought to an equal playing field.
Such an approach promotes “psychological safety,” whereby employees feel empowered to speak up and raise issues with anyone in their organization, regardless of position. This enables those in leadership roles (CISOs, CIOs, etc.) to gain insights and collaborate with the rest of the team more easily.
Orlando and Shore emphasized the need for frameworks to help CSIRTs structure their teamwork. “It’s really important to have a repeatable, structured way to facilitate that teamwork and to measure it in order to make it effective and have the team make the right decisions even when the leadership isn’t around,” explained Orlando.
"It's really important to have a repeatable, structured way to facilitate that teamwork and to measure it in order to make it effective"Mark Orlando, CEO of Bionic
Another critical aspect is ensuring all members of a CSIRT “find joy in teamwork,” said Shore. In particular, gaining buy-in to the broader scope of goals and tasks of that team. Achieving this requires combining the three pillars – autonomy, belonging and competence – of individual motivation. This is designed to “cultivate that individuality within the team context.”
The speakers then outlined several case studies to tie these concepts into real-world scenarios. One of these came from Orlando’s own experience working in a 24/7 operations team. Here, a team had to be built very quickly while continuing their day-to-day operations. The situation was made especially challenging as the organization “was comprised of experts from all different disciplines,” making it difficult to tell individuals what they can and cannot do.
While there was lots of technical expertise within the team, there was a lack of understanding about who to communicate with in certain areas. Therefore, a framework was needed to demonstrate the situations when team members should engage with each other, when to share knowledge, and how to measure collaboration.
Shore provided an output of a mapping tool used to answer these questions, connecting people’s goals. “From a psychological standpoint, we really want to focus on making sure people have input to the goals that their setting, that they have an understanding of every goal in the eco-system, and also that they get to celebrate,” he outlined. This ensures everyone is connected to what the team is doing and feels they have contributed to successes.
Another mapping tool was used to show the different ways different teams interact during a cyber incident. This enables collaboration to occur most efficiently, ensuring the appropriate teams interact together at the right times. “Teamwork allows for efficiency if our teamwork is structured and intentional,” stated Shore.
Concluding, Shore said: “We’re leveraging the power ego-centrism here; let’s use it to our advantage. What information do I have that’s unique? What information do other team members have that’s unique that I know they have? If we talk about that, we’re making implicit information explicitly communicated.”