One topic that I’ve had several conversations on over the past week with several cybersecurity startups is why they should create a Computer Security Incident Response Team (CSIRT), Computer Emergency Response Team (CERT), or threat research team and how to fund, build, and run the team.
TL;DR: I’m a huge champion of building a CSIRT or research team because of the huge benefits that it gives your company.
Why do you want to build a team?
What we do as security vendors is relatively abstract and hard to understand. As a result, we end up falling back on cliches or tropes to explain what we do. In its raw form, that ends up being pictures of shadowy figures in hoodies. But real research on vulnerabilities and attackers makes that abstract concept of what your company does and makes it easier to understand.
Security managers live in a world that is very much controlled by vulnerabilities and attackers. One of the ways that you help them do their jobs better is to release information about things that your company knows that might be the missing key to what they’re trying to do. If you make people smarter and help them out, they’re more likely to buy from you. And many of us consider research from our vendors to be a good way to get additional value out of the services that we have already bought.
Research teams help product management. They do this by turning attacker and vulnerability information into use cases for your product and services. They’re especially good at identifying places where you have a gap in coverage that can be used by attackers.
As a CSIRT Director, I noticed an interesting phenomenon where if I was on a customer call, not only would more people show up, but the conversation would be a lot more engaging than what the account team normal gets when they show up and put up product slides and ask for an order. I was always careful not to do a direct pitch, and I hated working off marketing slides. But in explaining how a particular attack or scam works plus how you detect and prevent it, you’ve explained at least a feature of your service or product. It’s an indirect pitch of sorts, but it doesn’t feel like a pitch. Maybe you just cover one aspect of what your company does. Maybe it’s your product scoped to just one use case. But it does indirectly cover product.
How do you fund and build a team?
This is the interesting thing for startups. Usually you don’t have enough income to hire anybody that is not revenue-generating. That’s where you have to get creative, and there are several approaches.
Some companies fund part or all of their threat research team out of their marketing budget. This does work in some cases where you give the research team a secondary mission of supporting webinars and other marketing events. However, you should try to keep them outside of the marketing organization because the team should be ran with different priorities than marketing.
Other companies fund their research team by giving them an operational mission in addition to a research mission. For example, they could be a Tier 3 organization that manages the very difficult security incidents and helps to train the other security operations folks on how to identify and respond to attacks. Or they could be supporting product development or pre-sales engineers.
For some companies, research is an opportunity to partner with other companies that have complementary solutions. That way, you each sponsor a part of research and co-brand the output.
And lastly, some companies build a services package around their research team. This could be a services package that includes some of the following components:
- Recurring meetings with the research team to get their insight on incidents and changes in the attackers and vulnerabilities.
- Security data feeds to get access to the raw data that the research team uses to do their job.
- Exclusive access to non-public reports.
- Bespoke research commissioned by customers.
How do you run a team?
The team’s number one priority is to increase value to customers. They should be as available to existing customers as possible.
Get your team connected to the trust communities. Most incident responders know each other through these communities. Your team will learn new techniques. They will interact directly with your customers. They will find collaborators on larger efforts. They will get access to resources that they didn’t have before.
Not only should it be part of their mission, but CSIRTs get a huge amount of value out of working incidents. By the nature of the CSIRT being a top-tier response organization, they will work with incidents that are long-duration, have the highest impact, and have the biggest complexity. That is, they handle the weird incidents that are more interesting to breakdown into why and how they happened.
My rule of thumb running a team is that if we had to explain an attack or vulnerability more than 4 times, it was worth the time to write it down and publish it because there is enough interest to tell it to more people and writing things down is how you get the team to scale out across the company and your customers.
Give the team a mandate to publish. This means with the right level of detail for each audience: internally, publicly, customer-facing, and inside of trust communities. In the case of internal and public publishing, you might want to use your existing product and field marketing to amplify the message.
Get researchers help with editing to finish publications and provide the structure to minimize the legal, marketing, and other reviews so that you can publish faster. It’s almost comical how many times I’ve seen it happen, but researchers have a tendency to research topics into exhaustion at the expense of actually telling people the information that they know. They’re always looking for one more bit of information to collect.
Get your team into training and engage with others. They should have a budget for training and conferences. This doesn’t mean carte-blanche access to any training, you still have to justify it across the company’s role and the balance of the skills on the team. If the cost is too high, you should look at ways of having them do internal training on deep tech subjects so that the knowledge is shared across multiple employees instead of just a handful.
Remember that you have internal customers too. Publish internally and have internal training sessions to make the rest of the company smarter. Build presentations for executives, marketing, PR/AR, and sales to use and train them on the key talking points.
Don’t burn your sources, either in terms of all your indicators, methods of how you collect intelligence, or in customers that have incidents that you managed. Sometimes you’ll make mistakes, but try to minimize them.
Understand where you do not have enough insight to add value to research that has already been published. It’s perfectly OK to not comment on something because you don’t have enough information or that your information is speculative.
Summary
Building a CSIRT or threat research team can be a great way to grow your company’s products and capabilities, provide additional value to customers, reach new customers, and make the world a better place. This is why not only do I advise the cybersecurity startups that I meet to build a team but I also offer this as a service to help if they need to jumpstart their efforts. Contact me to learn more about how I can help you.
Published on March 22, 2021.
Last Updated on 3 months ago.
One thought on “Building a CSIRT or Security Research Team for Startups”