November 29, 2023 By Mark Stone 4 min read

Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.

But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in cyber and what security leaders can learn from first responders.

What first responders and cyber IR professionals have in common

Troy Bettencourt, Global Head of X-Force Incident Response at IBM, has responder experience at multiple levels, with a background including military, law enforcement and cybersecurity incident response. According to Bettencourt, there are many parallels between military, law enforcement and cybersecurity incident responders.

“A lot of the things that make military and law enforcement successful — or help contribute to their success — is constant training and drilling,” he said. “When you have an emergency incident, if you’re part of an internal team and something happens, you don’t have to expend a lot of mental energy on the tasks that should be routine.”

To be successful, much like the military and first responders, incident responders in the cyber industry must have clearly defined roles and real-world experience. For example, they shouldn’t have to think about how to do a search in their EDR platform or how to query firewall logs or a SIEM.

“That should be practiced all the time,” Bettencourt said. “If you’re training and drilling that all the time, then you’re not consuming your limited mental energy and creating high stress, and you’re reserving the mental energy for the actual valuable tasks.”

For Bettencourt and the X-Force team, standardization is also key. “We want to make sure we’re approaching our analysis in the same way, so that if you have 50 systems to analyze and you spread that workload, you know that the findings can be trusted, but they’re also complete and that items weren’t missed,” he said.

Challenges for the cyber industry

One of the more tangible challenges for incident response (IR) is an overall commitment to cyber readiness. Unlike first responders, who have developed a high level of preparedness in their protocols, cyber still lags behind.

“There is still quite a ways to go,” said Bettencourt.

He acknowledged that while much of X-Force’s work skews toward large, more mature enterprise clients, some in certain sectors are still less mature. Small to medium-sized businesses and even larger enterprise organizations that don’t have the resources to invest in cybersecurity often lack the readiness for IR processes.

“Hopefully, it’s not viewed as an obstruction. The business has to adopt cybersecurity as part of the business and not as just a regulatory component that has to be complied with. Because the barrier to entry for cyber criminals has greatly diminished. It’s so easy to jump on the Dark Web and start getting tools and buying malicious Software-as-a-Service kits. It doesn’t take much to be a cyber criminal.”

But lurking in the shadows of the tangible challenges lies an intangible obstacle: responder burnout and stress. According to Bettencourt, studies have shown that, whether it’s cybersecurity, law enforcement, military or high-risk jobs, people often go over and above and beyond because of their team.

“They don’t want to let the team and their team members down,” he said.

With that responsibility, many IR professionals are often self-sacrificing and don’t look out for their own well-being. This can lead to significant burnout and stress.

“Now you have diminishing returns. You have talent retention issues, not just for the company, but for the field in general.”

Adopting the right mindset for IR success

To address the readiness challenges and keep pace with first responders, Bettencourt suggests the enterprise focus on three key areas.

Adaptability

While heavy standardization has its advantages, Bettencourt advises that organizations remain flexible. Especially in a field where technology and threat approaches are constantly changing and there is a constant desire to learn.

“Getting set in your ways in this field is a death knell from a career perspective because it’ll rapidly move past you,” he said. “I left the field for about three years, and it was like drinking from a fire hose when I got back — and I had been doing it for about six years before that.”

Encourage smaller teams

Building a small team culture has produced favorable results for the X-Force team.

“It’s an approach that benefits both the individual and the organization,” he said. “I think leaders really need to try to foster that structure, that culture of small teams where you can rely on each other, and by extension, people will go above and beyond because of their teammates. They don’t want to let their team down, which means they don’t want to let the business or clients down.”

Prioritize mental health

While mental health assistance is readily available in the cyber industry, it’s not discussed enough compared to first responders, where accessing such resources has become more normalized over time.

When it comes to trauma in first response jobs compared to IR and cybersecurity, Bettencourt noted that while there may not be as much physical trauma for cyber, the constant stress of working can build up over time and cause strain.

“Being an individual contributor burned me out,” he admitted. “At one point it was four months straight of 60 and 70-hour weeks. All I worked was ransomware and nation-state engagements, and it became too much for me and my family.”

Preventing burnout improves IR

Long hours are, unfortunately, very common in the field. So how can leadership develop the right mindset to reduce burnout?

“If you’re a business that just cares about the bottom line [and not your personnel], keeping responders happy is going to result in better performance and less attrition, which means less talent acquisition costs. In cyber, it still takes time to bring them up to speed. For IR, generally, if you lose somebody, it’s about six months before you get a replacement that can really contribute, which then means you’re burning your other folks out,” Bettencourt said.

“So from a purely business, mercenary perspective, even if your organization is not employee-focused, it makes sense from the standpoint of performance, client satisfaction, delivering quality outcomes — from the standpoint of nurturing talent, maintaining talent, reducing talent acquisition and retention costs. To me, it’s a no-brainer. You have happier people, and when people are happy, they will typically work harder for you.”

By learning some lessons from first responders, organizations can be ready to face whatever the next cyber crisis brings.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today