In the process of establishing an incident response team, it is necessary to make the potential customers aware of the services the team has to offer. This is no different than advertising any new service to a community of users and clients, at least in principle. What makes advertising an incident response team different from advertising another business service is that incident response is an emergency service. Most people believe that to make use of an incident response service, a security incident must have taken place. In other words, something must have gone wrong for someone to make the call to the team in the first place. This is a topic that many people seek to avoid unless they are forced to deal with it. The bad news is that by the time they are forced to deal with it, it is often too late to effectively execute an incident response operation.
As such, the incident response team has to embark on a difficult marketing and advertising campaign in order to be effective. It isn’t enough to let the target community know that the team’s services are available, professional, and cost effective. Nor is it necessarily effective to issue an edict saying that everyone in the company must call the response team. The most effective team advertising and awareness campaign is one that is set up to entice the target audience into contacting the team and familiarizing themselves with the team’s service offerings. That is obviously more easily said than done. How can the team entice its customers into working with it prior to an actual emergency situation?
Two effective approaches to fostering team awareness in the target community are launching poster campaigns to raise the community’s awareness and conducting periodic training sessions for the target community. Several years ago, we helped out a large company from New York by doing a couple of seminars for its IT staff. While there, we noticed that the organizer -- who was in charge of a one-man incident response team for an entire company consisting of tens of thousands of users -- had gone to extreme lengths in making the employees aware of security issues, including the response team services. He had gotten approval for a massive, company-wide poster campaign to raise awareness. The posters started with the most simple of security concepts such as “don’t share your password with others,” and continued through topics such as “if you suspect a security breach, call the response team.” The company printed and distributed thousands of different posters throughout the company’s many units. Overall, the campaign was a success in that it made every employee of the company aware of the incident response team and what to do in the event of an emergency.
Another common technique is to hold training seminars. These should start with basic security awareness issues, but that is not typically enough to entice a large audience. Consider also holding more technical or specialized seminars for the target audience. If your team doesn’t have the resources or background to hold seminars of this type, consider hiring someone to teach the seminars.
The important thing is that the target audience is made aware of the response team and its services. Everyone in the team’s constituency should know exactly who to call when problems occur. Furthermore, everyone should feel that the team is there to assist the customers and that a positive experience is likely to happen when they call the team, even if the situation itself isn’t very positive.
Naturally, poster campaigns and training seminars cost money as well as time. Budgeting for them and getting the senior management support are essential but can be difficult. It might be necessary to find other groups within your company that can help fund or staff the effort. For example, several years ago, we were able to integrate annual information security awareness training into our company’s human resources’ training efforts. Consider offering to assist HR in their employee training campaigns by providing them with a trainer and curriculum for security training in exchange for a captive audience (such as new hire orientation each week). Alternatively, consider taking baby steps in the form of a prototype effort to prove the validity of the approach as positive audience feedback. Use what works, discard and redevelop what doesn’t.