Catherine J. Ullman

The security world is full of dumpster fires these days. Unfortunately, incident response doesn’t come naturally to an operational mindset where the focus tends to be on reactive problem solving. As a volunteer firefighter for over twenty years, and an incident responder for more than half of that time, I’ve learned a lot about what is and isn’t effective in each. There are surprising parallels between fighting real-life fires and the firefighting that passes for today’s incident response. Let’s consider two: the need for patience and the importance of avoiding tunnel vision.

First, let’s discuss the need for patience. Striking a balance between swift response and patient reflection is often the difference between life and death, in a very literal sense for the firefighter and a figurative sense for the security professional. There’s a strong temptation to want to jump right in when someone yells, “Fire!” What I’ve learned, however, is that patience really can be the key to a successful incident response, just as in the fire service. As much as firefighters weigh the risks involved in their plan of attack, incident responders need to do the same.

Taking a beat—one moment to think through your approach—can be the difference between success and failure. During that pause take the time to observe whether there are any life safety risks, which could be anything from asbestos or flooding in a server room to a tangle of electrical wires. Also, consider that it is possible that what you’re walking into isn’t actually a true incident, despite the urgency of the request that brought you there. Ask yourself what the real risks are of the situation in question and assess the potential implications of the actions you are considering. Patience will also improve your capacity for attention to detail both in your own observations and what you are being told.

Next, let us discuss the ramifications of tunnel vision. Getting caught focusing on the wrong areas can cost precious time. Firefighters are taught to initially pull their trucks up just past a structure fire in order to view at least three sides of the building so they understand the challenge they face. As soon as possible, an officer is responsible for doing a 360 of the property in order to understand the full scope of the incident. Using this methodology they can avoid situations like focusing on flames blowing out the front door only to later discover victims in hidden basement apartments that are only visible from the rear of the structure.

Incident responders should follow a similar thought process. Do not necessarily assume that everything you are being told about the incident is accurate or even relevant. Thoroughly document all the information you are given and then verify what you’ve been told against your own observations. For example, you might be told that you are being called in to deal with a case of ransomware. Instead, could it be the case that it is just a single phishing message? Depending on the credentials involved, a single phishing message could be far less damaging than ransomware and require far fewer resources to investigate.

Even though threats surround security professionals like a burning ring of fire, thinking like an actual firefighter can help make your investigations more effective and efficient. Be sure to take a step back and take a 360 of the situation. Take that beat and think before jumping into an incident. Patience and contemplation of the bigger picture will help you avoid getting singed and ultimately make you a better incident responder.