Incident Response Team Professionalization

As Chief Security Officer(CSO) at Mandiant, customers and colleagues often ask about creating or improving their computer incident response teams (CIRTs). Prior to joining Mandiant a year ago, I created and led the General Electric CIRT (GE-CIRT), starting with myself and ending with 40 analysts in early 2011. When I designed and built the CIRT, I believed it was important to secure internal and external support and recognition for our efforts. We benefited from a strong internal champion in the form of the company's Chief Information Security Officer, Grady Summers (now a Vice President with Mandiant), as well as support from our Chief Information Officer. As part of my strategy to build an external presence, I sought involvement with the Forum of Incident Response and Security Teams (FIRST). In this post I will explain why I thought FIRST was important to my CIRT.

FIRST is an old institution, in Internet terms. FIRST was founded in 1990 and serves as an international organization for incident response teams and related security functions. I first learned of FIRST when I served in the United States Air Force Computer Emergency Response Team (AFCERT) from 1998 to 2001. What I learned then involved the professionalization of the incident response function. FIRST required certain procedures and capabilities from its member teams, including established groups like the AFCERT. These requirements including encryption key handling, protection of critical data shared by members, and organizational features like training, budget, and management support.

I decided that my new team should seek FIRST membership as a way to demonstrate to our company and the IR community that we were a serious group. Part of the FIRST membership process demanded nomination by two existing FIRST members, who then visit and audit the prospective team. By working to meet this goal, I believed our team would become more professional in the eyes of the company and the community. NCSA-IRST and NGFIRST were kind enough to sponsor us and shepherd us through the membership process, concluding with acceptance into FIRST on March 19, 2010.

The graph below shows the growth in FIRST membership over the last 15 years. As you can see, joining FIRST is increasingly popular. I would like to see every company in the Fortune Global 500 create an IR team and join FIRST. I would make a similar recommendation for the largest schools, nonprofit organizations, and other significant institutions with the assets requiring the vigilance of an IR team. Although FIRST has been growing over the last 15 years, many hundreds of organizations need to join the community and demonstrate their commitment to professional incident response. FIRST membership statistics are one way to track that process over time.