Under Pressure: What Cyber Can Learn from First Responders

Everyday cybersecurity heroes and true heroic first responders have more in common than one would think. Today’s panel discussion contrasted the cultural factors that drive successful teams and outcomes for these two seemingly different but distinctively similar organizations.

Key Points: Understand the Connection between First Responders and Cybersecurity 

1. Start with Culture
2. Build a First Responder Mentality
3. Manage Stress and Mental Health
4. Skills and People
5. Training and Practice
6. Overcoming obstacles

#1: Start with Culture

Ever since Peter Drucker started talking about culture as a key element to corporate success (remember “Culture eats strategy for breakfast”?), “Getting culture right” has been on the leadership agenda. Some would say that much of the culture of the cyber security professional community is a hand-me-down from military and law enforcement that shaped early careers, a top-down formulaic leadership style. Recently, cyber professionals have grappled with how to create a culture of information security amongst staff that not only influences behavior in the office, but everywhere else too. 

Understanding the sub-cultures within any organization is key to bridging the gap between security and breach prevention. As we have talked about before, security culture runs deep. Making improvements will require analysis and targeted training based on a cohort of the traits and characteristics of each “tribe” within the organization. 

#2: Build a First Responder Mentality

Who better to learn from than First Responders? As discussed in the panel, they principally understand how training and practice works.  This is what makes response and readiness possible. The key components included: 

• Mission - a sense of purpose and service, to protect life, property, and the environment
• Fight like you train - drills, practice and training are all conducted in real life scenarios
• Discipline - clearly defined roles, strong leadership and high standards of ethics
• Integrity and professionalism - respect for the broad impact on citizens’ lives

#3: Manage Stress and Mental Health

Incident responders are the frontline defenders standing between cyber adversaries causing disruption and the integrity and continuity of critical services.They fight on multiple battlefronts daily.  This has a tremendous impact on their daily lives, as pointed out in IBM Security's Incident Responder study: 

• Sense of duty to protect others cited amongst the top reasons 77% of respondents entered Incident Response (IR)
• Ransomware has exacerbated the psychological demands of IR for 81% of respondents
• Majority of respondents have sought out mental health assistance due to their experiences responding to cyberattacks

A sense of duty/responsibility is both what draws people to incident response work and also what creates one of their greatest stressors; meaning what draws people to our field is often what drives them out. We leaders need to do a better job of managing that stressor.

#4: Skills and People

Each year, there are more cyber incidents and network attacks. Leaders must make the practice of cyber sustainable for the people in their organizations.

• Burnout and voluntary attrition are happening. Gartner very recently predicted that nearly 50% of cyber leaders will change jobs by 2025, and 25% of Cybersecurity leaders will pursue different roles entirely due to workplace stress.
• Attrition happens not just because of the threat, but are natural outcomes of poor organizational culture
• A team sport. Staff need to ‘know they are not alone’, and develop strong inter-team peer support networks to rely on when they feel stressed.
• With high attrition, and a constant need to maintain skills - leaders need to plan time to “ready” their teams in a manner similar to those discussed by first responders: do you hire for technical ability or culture?

The panel discussed how to fulfill this critical mission and not burnout, and help teams avoid feeling that pressure of being continually under threat. They discussed how to hire for these skills, and bring ‘new recruits’, compensate and motivate them. Again, it correlates with culture and an understanding of people and skills in an organization. 

#5: Training and Practice

As Lt. Pound discussed fundamental task training, not unlike those in a firehouse are key to team preparedness. Drills like stretching hose line, large force exercises, and other team exercises as well as individualized tasks that need to be orchestrated together must be rehearsed in as real-to-life a situation as possible to achieve the needed level of readiness. 

First responders act as a pair with partners or in team exercises to develop coordination and trust. Technology is great but people and processes “win the day,” constant training to build “muscle memory” so that in rapidly evolving situations, staff do not need to expend mental energy on repeatable tasks or actions and can reserve that for unique aspects of that emergency.

Standardization plays an important role here. As Lt. Rodriguez explained, NYPD officer’s duty belts have the same items in the same locations, so that in an emergency, the dark, can quickly find necessary tools (e.g., trauma kits, ammo, etc.) In this way for cyber incident response, coordinated speed of action, global support, and evidence are not overlooked due to different approaches–which creates efficiencies needed for fast response. A solid incident response plan relies on standards.

#6: Overcoming Obstacles

As discussed above, culture ties it all together.  Leadership, teams, practice, purpose, vision, rewards, performance, hiring/firing, and generally “the way we do things” all feed into a cyber team's ability to respond under pressure. Every team needs a “storyteller” to embed security culture into an organization. 

As IBM X-Force’s Troy Bettencourt summarized “Regardless of your industry or market vertical, you are most probably a technology (i.e., w/o technology, your organization cannot function).  We need to change the narrative with our non-security business leaders.  Cybersecurity is not only an IT sub-function or cost center, it should be part of the operational resiliency posture of your organization and deeply embedded into organizational risk management planning and funding.” 

The importance of collaboration in creating a cyber critical service working group cannot be overstated.  Responding and training in real-time, with interdependencies and a common goal of helping to secure the ecosystem, can help in creating a belief system that sustains the team under stress long-term. 

In conclusion, creating, building, and sustaining great culture is essential in the cybersecurity field, where the stakes are high, and the threat is continuous. Cybersecurity is a team sport, and peer support plays a crucial role in managing long-term stress and mental health. Fundamental task training and skills, large force exercise, and simulation can help overcome obstacles, and a leadership vision and storyteller can embed security culture into the organization.

Creating a belief system that sustains the team under stress long-term is essential in achieving the common goal of securing the ecosystem. Whether it’s natural disasters for first responders or an attack due to malicious social engineering for a private business, security measures matter. Cybermaniacs was honored to partner with these panelists for RSAC2023.