Part 3 of 3: inside perspectives with Ryan McLaren and Shanna Daly
Vaughan: Ryan, drawing from your extensive experience with the competition, particularly in gathering feedback from those relatively new to the field, what valuable lessons did they acquire? What skills and insights did they take away?
Ryan: One of the most consistent and heartwarming pieces of feedback we receive is that participants genuinely enjoy the challenge, making it the driving force behind our continued commitment year after year.
However, the most significant outcome for participants is a notable surge in confidence. This newfound assurance empowers them to apply the tools Shanna mentioned, implementing practices learned from training, YouTube videos, workshops, and seminars they've engaged with over the months or years. It provides them with a platform to amalgamate their knowledge and put it into action.
An added advantage of assembling teams with diverse skills is the constant opportunity to learn from peers. Throughout the competition, we offer mentorship, allowing participants to seek guidance when stuck or grappling with complex questions. Sometimes, a gentle nudge in the right direction propels them to the next level, fostering a sense of achievement—moments when they crack a challenge, answer a difficult question, or make a fascinating discovery.
In essence, the overarching takeaway is the boost in confidence and the hands-on experience that enables participants to reflect on the competition, acknowledging they might not have aced everything or clinched the top spot. Yet, they relish the experience, having a great time and learning a plethora of skills—whether technical, crafting media statements, preparing briefs for CISOs, CEOs, or boards, or compiling position papers on the privacy, legal, and regulatory aspects of an incident.
This newfound confidence has tangible results, as we've witnessed participants from past competitions secure roles in incident response. Armed with newfound confidence and practical experience, they approach job interviews discussing their competition experience, securing their first roles in the incident response domain. It's truly a fabulous outcome and a testament to the competition's impact.
Vaughan: Absolutely fascinating, Ryan. Overseeing around 40 teams, each comprised of five members, navigating through the intricacies of this competition, you've had a front-row seat to witness diverse approaches and a myriad of challenges faced by these teams. It's akin to a controlled laboratory environment, encapsulating 40 unique perspectives on handling the same incident, compressing varied experiences into one intensive setting. Drawing from your wealth of experience, especially in conducting exercises and tabletops, are there specific lessons learned from this competition that you believe participants should emphasize more, reconsider, or maintain in real-world incident response scenarios?
Ryan: Certainly, Vaughan. I'd like to highlight that we deliberately designed the competition with flexibility in mind. It spans ten days, allowing teams to engage at their own pace. This accommodates their regular work commitments and personal life seamlessly.
Now, focusing on key takeaways, two aspects consistently stand out among the most successful teams.
Firstly, there's a notable appetite for learning. Successful teams exhibit proactive engagement, leveraging online resources like Google and YouTube when faced with challenges. They embody a continuous learning mindset, actively seeking and applying new knowledge in real-time. This mirrors the dynamic nature of cybersecurity, where new tactics and techniques emerge, demanding swift upskilling. The teams that excel showcase a keen interest in researching, reading, and actively learning on the go—a valuable trait given that incident response often involves adapting and learning collectively in the midst of addressing unfolding threats.
Secondly, organizational prowess plays a pivotal role. Incidents, as mirrored in this competition, are expansive and demand meticulous handling of voluminous data and complex artifacts. Successful teams exhibit exceptional organizational skills, effectively managing the size and intricacies of the data they analyze. This organizational acumen is a crucial skill, emphasizing the need for structured approaches when dealing with real-world incidents, where the volume and complexity of data are similarly significant.
In essence, these two principles—continuous learning and effective organization—are key components that elevate teams' success in the competition, and, more importantly, offer valuable insights applicable to real-world incident response scenarios.
Navigating the intricate web of questions demands a structured and organized approach. Integrating project management and organizational skills proves to be indispensable. Over the years, the consistently successful teams in the competition have showcased a notable level of organization. Their triumphs were underpinned by effective internal communication, eliminating the need to sift through myriad Slack messages for crucial information. Key findings were aptly tagged and communicated, ensuring everyone stayed synchronized on roles, objectives, and immediate tasks.
Shanna would likely agree that the significance of this aspect when responding to incidents, given their substantial size and complexity, can pose huge mental and physical challenges. Frustration may arise when data refuses to cooperate, or understanding adversary actions becomes a daunting task. It's a rollercoaster of highs and lows, and a calculated amount of stress is intrinsic to optimal performance. So a structured and organized approach, reminiscent of project management, plays a pivotal role in maintaining stress levels and overall well-being. This methodical approach is indispensable for excelling in such competitions or real-world incidents.
Shanna: If I can jump in here, because I've got so much to say for teams gearing up for similar scenarios. The randomness of team assignments in this year's competition proved beneficial. Being placed in a team where members are unfamiliar mirrors real-world scenarios, demanding quick understanding of personalities, strengths, and effective collaboration under stress. This dynamic of forming connections within teams, especially when participants are unfamiliar with each other, adds a layer of realism to the preparation process.
Ryan highlighted the inevitability of making mistakes in the unpredictable landscape of real incidents. Technical tools may falter, challenges emerge, and frustration ensues. Communicating issues becomes paramount within a team to prevent unnecessary delays caused by minor errors like a misplaced comma. Effective preparation involves running exercises that mimic real chaos, steering clear of idealistic discussions. Simulating scenarios where critical personnel are unavailable adds an element of unpredictability, fostering adaptability and quick thinking.
The validation of assumptions, especially under regulatory scrutiny, is emphasized. Mistakes are acknowledged, but the credibility of the response hinges on thorough verification. Being technically proficient is valuable, but collaboration within a team is crucial for success. The essence lies in knowing each team member's strengths and weaknesses, establishing trust, and cultivating a supportive environment.
So, in summary, you need to be hungry to learn and be a fast learner. You need to have rigorous processes, and prepare those and rehearse them. You need to get to know your team, their strengths and weaknesses. And you need to be ready to work well in a team under pressure.
Vaughan: So maybe that’s a good summary of all that we’ve discussed. Well, a sincere thank you to both of you for being a part of the show. It's truly been a pleasure having you here. We trust that the discussion has provided valuable insights for our viewers, offering them something to consider, whether it sparks an interest in joining the event next year or enhancing their incident response skills in real-world scenarios.
Ryan: Appreciate it, Vaughan. And just to let everyone know, we're gearing up for the 2024 event, so if you're even remotely considering it, don't hesitate—register, dive in, and enjoy the experience. I can assure you it'll be both enjoyable and enlightening. At the very least, you'll connect with some fantastic individuals and pick up a few new skills along the journey.
Shanna: Absolutely, echoing Ryan's sentiments. Beyond the impressive prizes, the invaluable lessons learned along the way are truly noteworthy. The tools at your disposal, exposure to industry experts—it all contributes to your growth. I'll share an anecdote that adds a touch of excitement: a participant who attended my digital forensics training at BSides Melbourne a year and a half ago went on to lead the winning team in last year's AWSN incident response challenge and eventually secured a role at Cydarm.This story highlights the incredible opportunities these events can open up for your career. So, a big thank you to Retrospect for organizing these events, especially in collaboration with AWSN, as fostering diversity, particularly encouraging women in our industry, remains a crucial endeavor.