What Lifeguards Can Teach Our Cyber Incident Response Teams

Jonathan Trull, Chief Information Security Officer

Last year, my family and I were swimming at a local lake when a storm blew in off the Colorado mountains and strong winds pummeled the shore and water. A swimmer 100 yards from shore began to falter. Fortunately, this lake had lifeguards on duty for just such an incident. First, a lifeguard positioned on a floating pontoon about 50 yards from shore used his radio to notify all other lifeguards of the emergency. Next, this lifeguard dropped his radio and jumped into the water with his floatation device and began swimming toward the drowning swimmer. At about this same time, the lifeguards on shore blew their whistles and stood with their hands raised signaling the emergency. Another lifeguard on shore with a rescue board jumped into the water and began paddling toward the victim. By the time they had the victim to shore, an EMT was waiting to administer first aid. The swimmer lived to swim another day because of the quick and well-orchestrated actions of these lifeguards.

I was truly amazed out how proficient and orchestrated the lifeguards were in their response. Even more amazing was the fact that most of these lifeguards were high school and college age. They demonstrated tremendous communication skills, teamwork and were calm under a very stressful situation. I pulled one young lifeguard aside and told her how much I appreciated their efforts and asked what their secret was to such a response. She told me it boiled down to having standard operating procedures and training. Every lifeguard was required to memorize the standard operating procedures for responding to different types of emergencies and then they were trained continuously, both individually and as a team, on every scenario. Also, she said that the best trainings were unannounced and realistic.

So, what can cyber security incident response teams learn from these lifeguards?

  • Responding to cyber security incidents is a team effort. Team work, communication, and orchestration of efforts are essential.
  • Training is the key to success. Incident response team members should be trained individually, and the team as a whole should be put through realistic, unannounced training. I wholeheartedly believe the adage: “The more you sweat in practice, the less you bleed in combat.”
  • Standard operating procedures are extremely important. They ensure that a comprehensive response occurs, that all team members know how to respond to different types of incidents and understand their roles in each response and allow for a calm response in even the most stressful of situations.

Like the lifeguards in this story, if you follow these three basic principles, you will be amazed at what you and your cyber security incident response team can achieve.