What I Have Learned - Part 3 Self Imposed

What I Have Learned - Part 3 Self Imposed

I used to be one of those people who got 3-4 hours of sleep a night and worked around the clock. Part of this was necessary early in my career to bootstrap myself up to meet those who had extensive educations and lots of experience, but part of it was some misunderstanding about self value and self care.

Then I read a book by the founder of Seal Team 6 Richard Marcinko where he said "Sleep is a Weapon" and it hit in just the right way to get me to start evaluating things from a more strategic perspective.

Later I was consulting for a really fun tech / art company where some of this introspection helped me solve a destructive problem.

They had a major cyber intrusion and went into emergency incident response mode. Now what I most enjoy and am best at is network forensics, attack reverse engineering, and attribution. That's probably all I would spend my time doing if it made sense to do so. However, I am unfortunately good at a few things I don't enjoy doing very much:

  1. Public speaking.
  2. Report writing.
  3. Diagnosing and finding the balance in interpersonal / structural problems. (as long as they aren't my own ;P)

And one additional area which I do enjoy but which requires the previous 3: advising decision makers.

So rather than bring me in to perform the incident response, this company brought me in to observe the internal team's performance, as well as that of the 3rd parties they brought in to assist, and give them advice on how they could improve, which vendors were best, and how to make the internal team most effective.

The first thing I observed was the 3rd party incident response teams (very big and well known names) they brought in focused on the following:

  • Growing the onsite team well beyond necessary. (More bodies = more billable hours)
  • Upselling their other services to my client.
  • Collecting data that would be valuable in a public APT report but less valuable to my client.

This was to be expected and was easily solved by some tweaks to SOW parameters.

The second thing I observed was the internal team hovering dangerously close to burn out and mass attrition. They were all working around the clock, 20+ hours a day trying to solve the incident, huddle up in a war room eating pizza and feeling exhausted / isolated from their families. There were around 10 people on the team which was decently staffed for the size of organization, and all of them top notch technical cyber rock stars. So I did what I do and I started asking them as well as executive management questions.

"Why are you approaching this by working so many hours?"

They responded:

"This is a very serious incident and management expects us to do whatever it takes to protect the company!" and some variation of not wanting to let the team down.

A very passionate and well meaning response indeed.

I then asked the executive team:

"What are your expectations for the security team and how they should tackle this incident?"

To which they responded:

"Oh, they are the experts, we expect them to tell us how they need to do it and let us know if they need any resources or help getting through any obstacles that come up."

Similar to yesterday's post, this showed a lack of communication and alignment between the two teams, however in this case a lot of the pain the team was experiencing was self imposed. Understanding that the executive team was happy to give full agency over the approach to the team I came up with a plan and presented it to them. First I had a meeting and explained the situation. Next I said:

"There are 10 of you. What if you broke up in to 3 teams of 3 and one person whose job it is to collect information from the 3 teams and liaison with the executives and the 3rd party contractors. (An incident commander)

The 3 teams will work in shifts, in a normal 8 hour work day, documenting and handing everything off to the liaison and next shift.

Treat this incident as a normal work situation rather than a hair on fire emergency and spread the load across the teams so everyone gets adequate rest and has a clear head."

This was a very simple solution and one I believe a lot of organizations have in place today as a part of an Incident Response SOP, but back then it seemed revolutionary.

The takeaway is, if you are feeling significant pain at work, before making any decisions, do an evaluation of if this pain is self inflicted and based on assumptions, or if it's coming from above. Once that is understood, the path to alleviating the pain becomes much clearer.

Second takeaway, learn about your needs during an emergency so you can structure your SOWs with vendors to maximum value.

Thanks for listening!