Cybersecurity Series
Cyber Security_Blog_with Book

CIR Team: Team Composition

After coverage of the respective teams has been determined, the organization now has to identify each team's makeup.

A team consists of personnel with varying skill sets coming together to achieve a common objective – in this case, an organization secures itself from cyber security threats. The team will have their strengths compounded with each other and their weaknesses erased through cooperation.

Hence, a team should consist of employees capable of both coordination and unity to achieve a goal.

Reference: Chapter 3 What Are the Typical IT Teams Handling Security for IT? 3.3 Team Composition 3.4 Roles and Responsibilities

Moh Heng Goh

Banner 2 CIR Team Handling Cybersecurity

CIR Team

Team Composition Managing Cybersecurity

C3 CIR Team CompositionAfter coverage of the respective teams has been determined, the organization now has to identify each team's makeup. A team consists of personnel with varying skill sets coming together to achieve a common objective – in this case, an organization secures itself from cyber security threats.

The team will have their strengths compounded with each other and their weaknesses erased through cooperation. Hence, a team should consist of employees capable of both coordination and unity to achieve a goal.

The full explanation for each team will be elaborated in the following table, “Roles & Responsibilities.”

 

Team Composition

InfoSec

IT Sec

CS

“Red”; “Blue”; and “Purple” (Miessler, 2017)

-

-

IT Security Team: Chairperson/Leader; Representatives from different business units; Analysts; Engineers; Technicians (Tripwire, 2014)

-

-

“Netter”, “Defender”, “Healer”, “Leader”, “Fusor”, “Cryptor”, “Scrivener”, and “Coder.” (Stern, 2013)

-

-

Report to Chief Information Security Officer (CISO) *

Figure 1: Types of Teams and their Composition

The *Chief Information Security Officer (Ogden, 2014) or CISO is responsible for IT (cyber) security management. This covers the management of network, information, and cyber security attacks.

He/ She develops the organization’s cyber security program. He/ She needs to earn respect and be assertive to ensure authority is gained for the smooth development of the cyber security program.

Roles and Responsibilities

The composition of each team has been established and identified. Therefore, it is timely that the respective roles and responsibilities (Brenner, 2013) be allocated to each team member.

Overburdening a single member with too many responsibilities is always dangerous, and the roles and responsibilities must be spread out. In summary, an effective cybersecurity program should be managed as a constant, ongoing process, and different members must take up different roles to ensure that the program stays effective.

Concerning the three teams, as highlighted in Figure 1, the detailed roles and responsibilities are as appended in Figure 2.

 

Roles & Responsibilities

Info Sec

IT Sec

CS

Red Team

  • Bring in external entities to test the effectiveness of the security program.
  • Emulate techniques and behaviour of attackers.

-

-

Blue Team

  • Defend attacks from Red Team and actual cyber criminals.
  • Differ from standard security teams due to having a mentality of constant vigilance against attack.

-

-

Purple Team

  • Maximize the effectiveness of both teams.
  • Integrate defensive tactics and controls from Blue Team with threats and vulnerabilities identified by Red Team.
  • Deploy Purple Team is unnecessary if the Red Team performs its duties correctly.
  • Find ways to improve the Blue Team(Miessler, 2017)

-

-

IT Security Team

  • Protect IT systems (software/ hardware/ applications/ network).
  • Keep information assets, customer data, financial information, and other critical IT information secure.
  • Manage access controls; only allowing access to information to users based on necessity and identity.
  • Create security devices/ software to protect information.
  • Utilize a network system to manage security measures.
  • Inspect system and network processes for security updates regularly.
  • Audit security and safety measures and strategies. (Chandana, 2013)

-

-

Netter

  • Make the organization’s network secure and reliable. Expert in determining the norm network behaviour and detecting anomalies.
  • Have an absolute understanding of networks and connected devices.

-

-

Defender

  • is responsible for the mitigation measures.
  • Defend all aspects of the organization from potential cyber security attacks.
  • Has the highest privilege user account (configuration control).
  • Understand the impacts on business functions.

-

-

Healer

  • Is responsible for response measures.

If the “Defender” cannot mitigate the cyber security attack,

  • Attempt to resolve the issue without suffering huge impacts.

-

-

Leader

  • Assign someone in charge that is accountable for the actions of the team.
  • Provide a clear understanding of relevant business functions/ processes supported by IT infrastructure.
  • Coordinate activities performed by the team to achieve the most significant effect.

-

-

Fusor

  • Provide intelligence support through gathering information regarding cyber security threats to the organization.
  • Use knowledge of business processes to build intelligent products while specific threat types on supporting infrastructure are identified.

-

-

Cryptor

  • Is responsible for preventing unauthorized access to the technological infrastructure.

-

-

Scrivener

  • Describe a patient, persistent and detailed oriented person responsible for documentation so the organization meets regulatory requirements.

-

-

Coder

  • Responsible for testing the security measures implemented due to expertise in software coding. (Stern, 2013)

-

-

Figure 2: Roles and Responsibilities for the Type of Teams

Roles and Responsibilities for the Three Teams


Though Figure 2 shows the differences (Brenner, 2013) between the respective team, these are the typical roles and responsibilities (Hunt, 2015) for the three teams.

  • Manage risk management;
  • Identify cyber security threats that affect their business operations;
  • Establish the vulnerabilities that the organization has that allow cybercriminals to exploit; and
  • Develop countermeasures to either eliminate/reduce the vulnerabilities or the threat itself.

Related Concept to Cybersecurity Coverage by IT Teams

Type of Coverage by IT Team Team Composition Maintain Strong Cybersecurity Processes and Functions Skill Sets and Long-Term Challenges Back To: Team Handling CIR
C3 CIR Type of Coverage by IT Teams C3 CIR Team Composition New call-to-action C3 CIR Skill Sets and Long-Term Challenges BCM & CIR - What Are the Typical IT Teams Handling Security for IT?

 


BCMI Logo

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course
New call-to-action New call-to-action [BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available? [BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?

A Manager’s Guide to BCM for Cybersecurity Incident Response

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 3 What Are the Typical IT Teams Handling Security for IT? 3.3 Team Composition and 3.4 Roles and Responsibilities

Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.

 

 

Comments:

 

More Posts

New Call-to-action