First off: there must be a pre-existing reason to create a defensive capability. How does one prove or gain acceptance of that reason? There’s no formula for ‘selling’ a defensive posture; this post will not outline how to create a sustained defensive posture. The below summarizes how I instead think about growing an operational incident response team and it’s capabilities within a company.
This construct applies the theory of leadership. Leadership is, in my words, the act of doing the right thing with the long view in mind. It is not the easy thing to do with the short term in mind. This dichotomy is not exact but it focused on the characteristics we need.
I call this construct the Incident Response/Leadership Cycle. This is straight forward. It begins with the willful intent to detect a security incident. That willful intent will stir up a multitude of actions such as response and recovery. It is necessary that leadership acknowledges and appreciates how the detection is made. This is the second phase - generating increased leadership visibility. If such appreciation is merely a pat on the back then this step hasn’t fully been realized. Such leadership must desire not solely prevention of future incidents but a desire to migitate and prepare for the next instance. This leads to the final step of the cycle: increased detection capabilities. Raising this detection capability will provide the next incident to respond to; hopefully earlier in the attack than the previous incident. This detection capability implicitly improves the response capabilities of the team through new experiences and resources.
This cycle is how I’ve come to articulate the pragmatic growth of a team of IT or risk professionals into an operational and defensive focused team. It relies on both the professional and leadership’s desire to have an ear to the ground and prepared to respond.