"We have to understand, at the most basic level, what our organizations care about. At very simplest, almost all want to make money and avoid losing money. In rare and specific cases, they might care about life and death. So, we must quantify things in these terms when we present it to a company, whether it is the number of dollars our tool could earn, the hours of work that will be lost if preventative actions aren't taken, or the number of lives that will be saved if our military operation succeeds," Carhart explains.
Build Good Relationships
One harsh reality is that security doesn't win every battle in business.
However, while most security departments exist within a vacuum to a degree, the incident response program can't. Incident responders and handlers need to coordinate their efforts, from IT to legal, and to engineering and marketing. Moreover, incident response programs need support from these areas.
"Even when the people we are relying on are not technically skilled or resist remediation steps, it is crucial that we remain calm and courteous," Carhart says.
"While the first thought under stress can often be to lash out at nonresponsive teams, it is very likely in most incident response roles that we will interface with the same people repeatedly. We should never burn bridges. On numerous occasions, I've had to go back to obscure IT staff who were involved in a previous incident for assistance on another case. They're much more likely to do favors for me if I have been polite and helpful in the past."
Another tip is to make good connections within your local security community, as well as the online community. This opens up several avenues of support including correlation of malware samples, potential training opportunities, and information on new vulnerabilities or exploits.
While keeping your cool and remaining polite, remember that verbal and written communication is not only a required skill within incident response, it's also a major weakness.
"Computer security is a specialized and demanding field which often attracts people who aren't particularly interested in language studies. Unfortunately, upon the move to incident response, not only must we deal with many different teams, but we must also deal with all levels of technical expertise. In fact, many of the teams I often rely on are non-technical: lawyers, public relations, and even human resources," Carhart says.
You don't have to be an English major, but you do need to have the ability to express yourself in a way that non-technical people can fully understand. People will judge you based on the way you communicate.
"This means an attempt at proper spelling, grammar, and punctuation in written communication and in the countless reports which are required of an incident responder. The bottom line is that people will go back to the people they can understand for help, with praise, and with opportunities for advancement."