Posted by Martin Zinaich on October 8, 2016.
From time to time, I like to compare and contrast the nascent Information Security profession with more traditional and established occupations. For example when I had lunch with a police officer friend and gave it some food for thought.
I had such occasion the other day in a breakout session on the topic of Incident Response. The presenter did a great job covering the subject matter and asked an obvious question. He said, “We all know we need to practice incident response more, so why do so many of us rarely do it?” His voice was full of reproach. Fifty thoughts quickly flowed through my stream of consciousness. So as to not pass out and stay focused on the presentation, I quickly jotted down “Fire Department” and returned to the presentation.
A Fire Department is a quintessential incident response profession. The history of organized firefighting began in ancient Rome while under the rule of Augustus. In the early US, private fire brigades competed against one another to be the first to respond to a fire because insurance companies paid brigades to save buildings. On January 27, 1678 the first fire engine company went into service and in 1736 Benjamin Franklin established the Union Fire Company in Philadelphia.
A Firefighter is focused solely on incident response. Incident response for this profession is not one additional duty – it is the only duty. When a Firefighter is not responding to an incident he/she is maintaining the equipment, at the grocery store or training. Training to respond to an incident is the only way to get proficient. I concede a not so subtle difference between a Firefighter and an Information Security professional is the latter is not putting their life on the line when responding to an incident, only their career.
On the other hand, let us look at what any good security office should be covering in their scope of duties. ISO 27002 will do nicely for this purpose:
Therefore, of the fourteen areas ISO 27002 defines as coverage for an Information Security Office, only one deals with incident response. Interesting, is it not? Of course the modern Firefighter does not only deal with fires but also emergency medical calls. In fact that is their top business. Yet, there is an interesting contrast in that type of incident response too. When responding to a medical call, the main job is to stabilize and get the patient to a hospital where a trauma unit takes over. The Information Security professional has the patient from start to finish (whenever that is), and they have to keep running the hospital while working on the patient.
Moral of the compare and contrast? If you do not have enough bandwidth to practice incident response often, you had better get a firm on retainer. The other nugget of wisdom? Information Security people are asked to be experts in many different areas and rarely given the time or resources to become such. We also have to buy our own groceries and on our own time!Share This: Submitted in: Martin Zinaich |