When a malicious actor attacks an enterprise, IT and security must work together in order to respond — quickly and effectively.
But how does that work? As with anything, "it depends," said Ed Amoroso, CEO and founder of TAG Cyber, a cybersecurity and research advisory firm, and an NYU professor. It depends on the organizations, how the IT and security departments work together and how much planning has been done in advance.
"Cybersecurity is one of the most difficult aspects of running a business," he said. While he said no amount of advance planning can prevent every cybersecurity incident, planning can help mitigate the results.
Instead of trying to figure out what role IT plays while a cybersecurity incident is happening, running through potential scenarios or even a made up attack in advance can ensure that security and IT are working in tune in case the worst happens.
Who does what during a cybersecurity attack is determined by each organization, and the weight of the roles IT and security play, said Amoroso.
At smaller companies, IT and security teams might be close enough to share the same budget. In those situations, a smaller team can work together as one department because that's essentially how they've functioned in the past.
For crucial operations, such as branches of the federal government and industrial and critical infrastructure, a security team typically sets policy, but doesn't get involved in the response.
With federal agencies, the Department of Homeland Security "sets policy and sits very lightly over the operation, maybe providing policy and training but when there's an attack, it's rarely DHS in there doing the day-to-day clean up and fix," Amoroso said.
That's typically because these enterprises are so specialized. "If there's a disaster in a company that manages nuclear power, you want people who have hands-on experience with the equipment who won't push the wrong button," he said.
Many companies fall somewhere in the middle. CIOs and CISOs operate as separate jobs leading different departments, but with work that overlaps.
"It's about 50-50 in terms of whether the IT team or security team control that function, the management of identifies, the registration, the onboarding, the administration governance," he said. That's where's things — and who does what during a response — can get muddled.
Brace the backups
While IT's role depends on the enterprise, most likely the team will be responsible for the data backups — which hopefully exist.
"While the incident response team is focused on the area that has been attacked, IT needs to start looking at backups immediately and confirm if they have them, and if they have them, have they been deleted," said Jerry Bessette, senior vice president and lead of Booz Allen Hamilton's Cyber Incident Response Program.
IT also needs to locate offsite backups and confirm that they have not also been infected.
Tech leaders can then identify which portions of the network haven't been attacked and assist with "restoring data and/or rolling back activities to the last good state backup that you know is clean," he said.
Unwinding the breadth and scope of an attack often involves reconciling logs, which IT and security can do together, ideally before an attack.
Christina Barker, practice lead of NCC Group's North American Cyber Incident Response Team, worked with clients where the "security team is logging some very specific security logs but they don't realize their own database team or systems administration team has a wealth of information in their own logging," she said. "The more you can monitor and the more you can aggregate, the better chance you're going to be able to see it."
Put someone else in charge to diffuse tension
IT and cybersecurity may snip at each other during an attack. It's a tense situation and the fallout could cost not just millions of dollars in losses, but a CIO and/or CISO their jobs.
This should be treated like a corporate crisis by the entire enterprise and, depending on the size of the organization, that means the response should be part of "overall crisis management coordination," Bessette said.
Instead of just letting the security team run with it, "you need an overarching crisis management team that's coordinating all the work streams," he said.
Insurance companies typically provide incident response plans, but organizations should put in the time to create customized plans instead, outlining the roles of everyone, including IT and cybersecurity, and who is going to resolve disputes between the two.
Prepare for communication during an attack
The best way to cut down on both the timeline and cost of a cybersecurity attack is to prepare before it even happens, said Barker.
"One of the biggest things we recommend is preparation," she said. "In case something happens, [IT and security are] already working well together. They already have that communication channel set up. They know what each team needs to be successful."
Instead of saying who will do what, she recommends tabletop exercises so "it's not just talking about how they're going to do it but also practicing that communication channel."
If an enterprise hasn't done a tabletop exercise while employees are working remotely, it's worth doing one while the workforce is scattered, even if plans call for most people to be back in the office sometime this year.
"A lot of time these incidents don't happen between the hours of eight and five. They're usually on a weekend. Most likely people are going to be communicated in that kind of [remote] way," she said.