Jeffrey Potter, SVP, Chief Technology Officer, Davenport & Company LLC
In other articles, I have talked about my varied interests and the synergy I draw from them. Like most people, I come up with ideas to solve problems when I am completely involved in something else.
I have been a firefighter for over 20 years. During that time, I have responded to thousands of calls, natural disasters (as part of federal response elements,) and have ascended through the ranks of both paid and volunteer departments, even ending up leading the entire organization sometimes. It is a way to balance my interest and experience in the digital world, and also give back to others in their time of need.
I recently was on a fire incident and was thinking about the reactive nature of the work. Someone calls 911 with a problem and the fire department speeds to their assistance. The emergency can be anything from someone trapped in a house to a snake sneaking in a homeowner’s back door. The problem itself is varied and different every time. Helping the community and the constantly different challenges makes being a firefighter a rewarding experience for me.
In the fire department, we follow the incident command system (Also known as the Unified Command System) and all of that is defined by the National Incident Management System (NIMS) by FEMA. It is an expandable framework that allows people to manage incidents of all sizes, large and small.
Cybersecurity incidents are very similar. Lives may not be at stake (unless you are in Healthcare,) but you are playing catch-up when you realize you have an incident. The same reactive elements are necessary:
• Resource marshaling and management
• Creating a plan of attack (Incident Action Plan in ICS terms)
• Common terminology and role definitions to improve communication, since in times of crisis, communication is usually one of the key elements that lead to success.
Origins of ICS
In the west every summer, parched land, low humidity levels, and sparks combine to create massive wildfires. Although this year, they are better off than they have been in quite some time, there could still be seasonal fires. When the fires occur, Federal, State, and local resources combine to form the resources needed to fight the fires.
Combine the “boots on the ground” with the air assets, and you have hundreds of resources that need to be tracked and managed effectively. This need brought about the Incident Command System. ICS has been used throughout the country for many years on incidents like this, with good success. As it was proven in wildland firefighting, it was brought to fire departments, EMS groups, and law enforcement agencies for them to adapt and adopt. Now, you can see the ICS in action at large commercial fires, concerts, sporting events, and the routine automobile collision. It is used every day by just about every first response agency across the country.
Management concept- Span of control
Some companies believe in really flat organizational frameworks. This minimizes overhead (management) and the required compensation for those managers. Typically the manager only has time for problem employees and good employees (or those who have alignment with corporate goals) are left alone and without feedback. One of the primary goals of ICS is to maintain that span of control and the framework allows for managers to maintain the correct level of oversight. Management courses and real world experience shows that you can only effectively manage 5-7 simultaneous things and be able to keep track of them. More than that number and you start losing track of items, tasks, or people.
Given that you are responding to an incident, you do not get to control how large it could become. One of the keys to the success of implementation of the framework relates to its ability to expand and contract as necessary. This flexibility allows it to adapt as an incident changes over time. If more resources are needed, the incident can expand. When they are no longer needed, the framework can contract. Also, following standards in response frameworks allows others to be incident commanders, allowing the management of the incident to scale as well. In large fire/rescue incidents, Incident Management Teams (IMTs) can be deployed to assist incident commanders and function as deputy incident commanders.
Terms and definitions
Before I get into the structure, I need to define a few terms for you. This will make sense when I get into the structure.
• Incident Action Plan - The plan of what objectives you are trying to accomplish during the incident (i.e. mitigate a worm outbreak, relocate a large amount of staff to a different location, etc)
• Command - The incident commander, person ultimately responsible for running the incident
• Operations - This section, headed by a section chief, is responsible for achieving the objectives of the incident plan. They are the people that get stuff done
• Logistics - This is your supply section. They provide anything needed for the incident (i.e. laptop computers, networking equipment, food for staff working late, etc)
• Planning/Intel - This section is responsible for forming the Incident Action Plan, providing recon on what is going on and judging progress achieved in mitigating the incident.
• Finance - Typically your accounting department or CFO. They are typically responsible for interfacing with you insurance company and organizing payment for items obtained by the logistics section.
• Division - geographically separated group.
• Branch - can be organized by geographic location or by specialty
The ICS has a basic structure that allows areas of focus and mutually understood responsibilities. The commander has 4 main section chiefs that report to them. Each chief has responsibilities for groups. The commander can also appoint command staff (local liaison, Public Information Officer) or choose to perform these functions themselves. As with every piece of ICS, you can break out all the responsibilities in a more complex structure or keep them rolled up into fewer people as the dynamics of the incident demand.
A large structure would look something like this;
How to apply this to Cybersecurity
So those of you in energy, healthcare, or emergency services, this probably looks familiar. The good news is that you already have the framework in place. Specific to a cybersecurity incident, two branches will change;
• Planning - you will need to have resources with cybersecurity expertise to help construct you Incident Action Plan (IAP.)
• Operations - This will be predominantly cyber focused. Depending on the size of your incident, you may be able to leverage your existing Ops chief. The response elements will perform like specialized teams.
So a framework that could be used for a cybersecurity incident may look like this;
In order to deploy this, you need to train your people and the organization on the framework if you have never utilized it. I also suggest tabletop exercises to solidify people’s understanding and roles in a response.
In summary, put the experience of people who respond to incidents on a daily basis to work and utilize the Incident Command System. Train your teams to the framework and if you have an incident, you will be able to easily place organization around the chaos. Stay safe out there!