Incident Response Career Trends Interview with Georgia Killcrece of SEI's CERT Program, Part 2 of 2
Information security incidents are more sophisticated - and so are the criminals who perpetrate them. This raises the bar for professionals seeking careers in incident response in 2011.

"We are like detectives," says Georgia Killcrece of the CERT Program at the Software Engineering Institute. "We're always looking for the clues to help us solve the problem, and now we have to look at those clues in many more places than we've ever had to look before. So, really, having people who have good problem solving skills is a critical component to the staff portfolio of skills."

In the second part of a two-part discussion of incident response trends for 2011, Killcrece discusses:

  • Skills needed today in incident response;
  • How professionals can attain - or refine - those skills.

In part one of this discussion, Killcrece talks about incident response trends in 2011.

Killcrece is currently a Member of the Technical Staff in the Enterprise Threat and Vulnerability Management Team within the CERT Program at the Software Engineering Institute (SEI).

She takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide and has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. Her team is involved in developing products aimed at evaluating CSIRT capabilities that can be transitioned to the global incident response community.

Key Incident Response Skills

TOM FIELD: Well, Georgia, you've talked about the sophistication of the miscreants, as you say, and their tools. To be able to combat them, what are the skills now needed for professionals that are going into incident response, incident management and the other areas we've talked about?

GEORGIA KILLCRECE: I think that the types of skills that we will need to see are those that we even see today. But we will need to see that as systems become more complex, it is important for organizations to train and retain. I mean, technical and management staff who are experienced and who are able to manage an incident response system. We all know skilled staffs are harder to find. We all have known that there are shortages of those qualified people out there. But I think the good news is that there is a large body of work that is now publically available or can be available through vendor training, from books to best practices, to training and verification. These can help organizations to create teams to handle and manage their approaches to incidents. The guidance helps by providing information about what kind of capability your organization might need, what are the staffs that you need, the services that you will provide, where you get the training, etc.

But I think that at the end of the day, the keys are the staff having awareness of the organization's mission and business drivers, and that the response capabilities, if you will, align with those business drivers. And the key components are certainly technical knowledge about those systems and the network architecture, how the hardware and software products are organized and orchestrated, what are the systems that are being used, what are the applications that they are running, and the system and network configuration. How all those components play together, what are the services that are being provided, and what ports and protocols are in use? All of those are crucial for the technical staff to understand.

They've got to have analytical skills to be able to analyze those problems. We are like detectives. We're always looking for the clues to help us solve the problem, and now we have to look at those clues in many more places than we've ever had to look before. So, really having people who have good problem solving skills is a critical component to the staff portfolio of skills. Certainly time management skills, the ability to prioritize and categorize the work. What are you doing? What is the appropriate response? And being part of a team, because incidents aren't going to happen in isolation. Management leadership skills are definitely important. Leveraging the skills and analyzing activity and being able to break apart and delegate parts to others will be highly desirable skills. Especially when you are dealing with high priority incidents that can happen, and resources are strained. You've got to be able to have multiple parallel sets of activities going along and then be able to pull that all together again to see what the big picture is.

Just certainly from my own experience, we know we have to be flexible and adaptable and agile, because this is a changing environment and we have to be able to quickly be able to modify our approaches in a way that we respond to things to fit the needs of the particular events that are happening.

Those are just some of the more concrete skills, but certainly we see that there are soft skills that are equally as important. In some sense, we said that you can teach some of the technical skills, but some of those softer skills are almost inherent in people's abilities and their consciousness, if you will. So, we're looking for people who have high integrity and they are loyal. They have the right communication skills. They're good listeners as well as presenters, and they know how to speak the right message to the right audience. So they have to be self-starters, be dependable and be willing to learn. So, those are all the types of skills we will continue to see as we are looking for people that are out there. Being ethical, being honest, and by the way all those things that I have just mentioned are the same kind of skills that I think the employees want to see in their employers as well.

Training Opportunities

FIELD: Now I'm going to ask you a question. I know you're going to have a biased answer here. But for people that want to develop these skills, whether they are starting a career or restarting a career even, where are the best places to go for skill development?

KILLCRECE: Well, I think there again, the news is good. We see more training. I mean, 20 years ago it was very hard to find even a page full of references that would talk about incident response and computer security incidents, but that is no longer true today. Educational institutions are adding curriculum to great programs that focus on cyber issues. We see more of those degree training programs being created. The public and the private sector are looking for ways to get some younger [staff], actually reaching back and into the high schools and even earlier to look for developing paths that will interest students in these careers. I am quite happy to see the government taking some of the initiative in developing programs like scholarships for service to get young students into the programs where they provide service to government after they graduate. I was just happening to look in and do some research and was actually surprised to see that there were 123 different US universities that have been designated as those national centers of excellence. I had thought the number was much lower, so I was quite happy to see that large of a number.

We also think that there is a need for more involvement in the curriculum that looks at developing that professional cyber workforce. We are still in the early years. We're not as concrete and disciplined, for example, in software engineers or the medical practice. But we do see the trend moving in that direction, where there will be more and more emphasis placed on developing cyber and information assurance as a disciplined area. So we'll begin to see more certifications and more licensures coming down the pipe. In more ways to take what you've learned from that theoretical point of view and actually have it applied in a practical way for evaluating your competence being in doing the work. They're not just learning, but doing it and doing it well. We see a lot more in the way of professional training and development programs that are out there, courses where you can go to vendor-specific training, incident handling training, malware analysis, etc. But you know again, I think the key point is that learning is not static. It is just the start. Technology is changing. Attacks and threats are evolving, and changes are occurring within organizations to change how they will respond and who they need to respond to. So staffs have to be able to continue to learn. They have to continually be able to develop in a professional way to change with the changing time.

So it's more than just learn at once. It's an ongoing awareness and training, opportunities for being exposed in conferences or other training horses for that professional development. So organizations need to think and plan for that as part of their proactive planning to make sure they have good response staff on hand. And that they can you know keep them trained, and more importantly keep them retained in their organizations.

Industry LeadershipFIELD: Now you've got the benefit of being able to see multiple organizations across multiple industries. Do you see leaders -- whether a particular industry or organization that really stand out when it comes to incident response?

KILLCRECE: Well, I honestly can't say that I can answer that fully, but what I can do is better characterize what the leaders would be. And we see leaders in the environment as those organizations who have looked at the whole area of incident management, and have defined the mission and the vision of the team, as well as the goals and objectives of the team as it serves the business drivers of that organization. But I think that is a key component -- really aligning the team's activities with the business that the organization has. Those leaders will have very clearly articulated what the team provides and to whom, and they have well designed processes in place to protect their systems, which is to detect anomalous or abnormal behavior when it occurs. More importantly to know, what is the appropriate response in the face of those attacks and threats, and the new what-to-do's so they can get back to business.

We also see that those types of leaders, those organizations will have good means for communicating back to their constituency, whether it is through awareness and training. They find ways to ensure that our employees, their business partners, their customers, etc., all understand what the threats are and what each of these individuals, more importantly, can do. I think finally, the leaders in this kind of incident response activity or incident management activity, they really value their staff and they again ensure that they continue to learn and grow as the organization grows and changes. So that keeping in the lines of communication open, finding ways to ensure that you know that their staff gets what they need in order to provide the service that the organization needs to help protect it and keep its business on track.

Preparing for 2011

FIELD: Georgia, final question for you. We've covered a lot of ground here, but if you could boil it down, what advice would you give to an organization looking to build an effective or more effective incident management team as we go into 2011?

KILLCRECE: Well, again, I will point to the wealth of information that is out there. If it is a new team just starting out, I think a good place to start is at the CERT website of course. So, More specifically, looking on CSIRT development page, which contains many publications, guidance documents, as well as pointers to other references that can help organizations understand what is going on in this environment. But we're not he only one. I think there are other sites that provide just as informative materials. USCERT has a website at They provide information primarily to the federal civilian agencies, but there is also technical and non-technical information available to the average users. NIST, the National Institute of Standards and Technology. has a wealth of information and applications and talk about creating response teams to building secure systems to running different types of protocol. So that is a good resource. In the European community, ENISA, which is the European Network and Information Security Agency also provides a clearinghouse of different information on incident handling practices. SANS is a commercial organization, also providing lots of publicly available information on cybersecurity issues, training and certification as well. Then you can go to the vendors. Lots of the popular vendors make a lot of security information available about teams and putting together response plans. And there are a variety of books that are not out there on incident response, incident handling and incident management, and that's also very nice trend that we've seen over the last several years is that there are more and more products that are available that can help people in these different areas.

Around the Network