May 24, 2024

Three Lessons From The Cybersecurity Front Lines

Wendi Whitmore is the Senior Vice President of Unit 42 at Palo Alto Networks.

This year’s RSA Conference theme was “stronger together”—and this could not be more important today. With the tough challenges in cybersecurity, our best defense is a united front.

At the conference, I was a member of a panel moderated by Lily Hay Newman, senior writer at Wired, that discussed some incidents in the past 12 months and what organizations need to do in order to stay protected in the future. Discussing these trends inspired me to take a broader look at some of the toughest incidents I have faced and what we can learn from them. Here are three lessons from the front lines of cybersecurity:

Keep calm and stay skeptical.

Skepticism, curiosity and calmness—those three words should be at the forefront of an incident responder’s mind when they’re about to dive into a job. The role of a responder is to provide an informed point of view on a situation, while maintaining composure. We often work with businesses on their most stressful days, and remaining calm amid the chaos is critical.

Growing up, I was a pitcher on my softball team. When I first started out, I would get visibly upset if I felt the umpire’s strike zone wasn’t fair. My father taught me a valuable lesson: Never let the other team see you sweat. I could be frustrated, but shouldn’t give the other team the upper hand by showing my emotions.

Similarly, in incident response, we work in tense environments where clients are experiencing a crisis and are under immense stress. It’s important to maintain a strong, calming presence and reinforce that we’re going to get through it.

Typically, before calling in an incident response team, an organization will be working around the clock to determine what’s going on. By the time outside incident responders are brought in, tensions are often high.

My co-panelist during the session mentioned above, Katie Nickels, certified instructor at the SANS Institute and director of intelligence at Red Canary, put it nicely, “Panic is not a necessary part of the incident response cycle. There’s a difference between panicking and having a sense of urgency.” Or, as another co-panelist, Lesley Carhart, principal industrial incident responder at Dragos Inc., explained: “Sometimes, you have to be the skeptic. You have to be the one doing the reality check for people who are panicking.”

Rotate for rest.

Does your incident response plan include when your team rotates out to get rest? Are you also evaluating what skills are needed on-site during an engagement?

Being strategic in rotations can go a long way in a high-stress situation. In my own role, for example, I consider how many days could an engagement manager stay on-site before burnout starts to set in. Building in that time to decompress is imperative so teams can be at their best. It’s also important to factor in monitoring for warning signs that someone is struggling or losing steam, such as making mistakes, being jittery from too much caffeine and not enough rest and even having difficulty articulating findings.

If you do not have plans for rest, Carhart gave some homework at the panel: “I see them missing all the time in peoples’ incident response plans. Incidents are high stress. Sometimes they go on for weeks, especially if you are doing internal incident response for your organization. You need to have a plan for how you hand those off.”

Given the stressful nature of an incident, team members will need relief, and it will benefit the team in the long run to build rest into the plan. You will benefit if those involved are sharp and ready to tackle the critical issues of the incident. While there are long and tiring days, teams are rejuvenated when the mission impact of our jobs is kept in mind. We find our motivation in the imperative of the job—and not everyone has the luxury to say that. We wake up excited about national security and protecting against cyber criminals.

Information sharing is the key to the future.

The cybersecurity community needs to improve how we share information with one another. Helping organizations know what we’re seeing could prevent another attack or help find a similar compromise hiding under the radar. Share with your industry partners, competitors, public-private partners and more. It can truly benefit the industry when it’s done right.

Nickels made a great point during the session: “I think that sometimes organizations don’t want to accept any risks, but I think what we’ve found is—even if it’s privately in trusted sharing communities—that sometimes giving other folks a heads up on what’s happening—not the victim details, not the environment, not what user clicked the phishing email, but information about the threat actor—that’s what others care about. I would encourage this community to kind of lean forward a little bit. What can you share, even if it’s private?”

For incident responders, setting a cadence early on for the frequency of updates is also paramount. When done right, it’ll set expectations with stakeholders and also squash the asks for updates.

Organizations also have the burden of considering public opinion and sentiment when disclosing information. Leadership should be careful with what is shared publicly—and consult their legal teams before making any statements—but there can be a tremendous payoff.

Of course, it’s a delicate balance to determine how much to share, especially in the first few critical days. Organizations and incident responders should think through their strategy and what makes the most sense before an incident, making it easier to take into consideration the unique situation and how sharing could benefit the broader community when an incident does occur.


While mounting incident response challenges can often feel overwhelming, industry leaders are having important discussions on how we can charge forward and overcome the toughest issues. By thinking about how to help our teams succeed and sharing information within the community, the industry will stay strong today, tomorrow and beyond.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Leave a Reply

Your email address will not be published. Required fields are marked *