Building Better CSIRTs Using Behavioral Psychology

Presented at Black Hat Europe 2021, Nov. 10, 2021, 10:20 a.m. (40 minutes)

Have you ever worked on a security team where the decisions, communication, and overall team culture are dominated by one or two "rock stars"? Are constant disagreements and passive-aggression among team members hurting your ability to respond effectively? Does your high-functioning team work well together but not with other teams? This presentation will address these challenges and more based on one of the most comprehensive studies of incident response teams ever conducted, including 80+ focus groups and interviews (over 200 participants) across 17 international organizations. We will show that a lack of attention to social maturity is the main cause of these challenges and provide a framework to address them.

Cybersecurity Incident Response Teams (CSIRTs) rely on technical and social skills to be successful, though we often focus on technical skills at the expense of communications, collaboration, and teamwork development. The solution, however, is not more technology to compensate for the lack of teamwork or adding more personnel to cover the gaps. Rather, it is a deliberate focus on the social abilities necessary to be more collectively effective: trust, responsible decision-making, adaptation, collaborative problem-solving, and effective communication.

The right training, incentives, and feedback can enhance these skills and improve CSIRT social maturity. This lowers the barrier to entry for less experienced staff and reduces turnover in an extremely hot job market. Drawing from decades of operational experience and five years of in-depth field research by a team of experts in workplace psychology, this talk will provide a framework for applying principles of behavioral psychology to improve the social maturity of your CSIRT. We will describe tools proven by scientific research to instill and enhance the skills defenders need to work together more effectively and achieve the results we want: a consistent, reliable, and timely defense.


Presenters:

  • Daniel Shore - Chief Research Officer, LETS--Leadership & Effective Teamwork Strategies
    Daniel Shore (@LETS_thinkHuman) has a PhD in Workplace Psychology from George Mason University. He works as a consultant, researcher, and entrepreneur leading teamwork development initiatives for a wide range of organizations. His expertise in cybersecurity teamwork was borne out of his involvement in a 5-year, DHS-funded research project designed to identify social-behavioral drivers of CSIRT and SOC effectiveness. That study included 80+ interviews and focus groups across nearly 20 organizations around the world. Daniel is the only member of the original research team continuing to bring the insights from this work directly to cybersecurity teams, which he does through LETS (Leadership & Effective Teamwork Strategies), the company he co-founded to enhance agility and connectivity within and between teams that work in volatile, uncertain, ambiguous, complex environments.
  • Mark Orlando - CEO, Bionic
    Mark Orlando started his security career in 2001 as a Security Analyst, and since then has built, assessed, and managed security teams at the Pentagon, the White House, the Department of Energy, global Managed Security Service Providers, and numerous private sector clients. He is constantly working on new projects to improve defensive security through automation, better collaboration, and other capabilities that allow analysts to be more agile and creative. Today he is the CEO of Bionic, a company he co-founded to bring advanced "1%" secops capabilities to the 99%, and is an instructor at the SANS Institute specializing in blue team operations and security management.

Links:

Similar Presentations: