What Skills are Needed When Staffing Your CSIRT?

If you want to build a computer security incident response team (CSIRT) with capable incident handlers, you need people with a certain set of skills and technical expertise, and with abilities that enable them to respond to incidents, perform analysis tasks, and communicate effectively with your constituency and other external contacts. They must also be competent problem solvers, must easily adapt to change, and must be effective in their daily activities. It is not often easy to find such qualified staff, so sometimes CSIRTs nurture and train internal staff members to advance into these incident handling roles. In this document, we describe a minimum set of basic skills that CSIRT staff members should have. This skill summary is based on the early incident handling experiences of the CERT Coordination Center (CERT/CC), our observations of CSIRTs, and the experiences others in the community have shared with us over the years. We also suggest some of the additional "specialist" skills that a few members of the team should have (or have access to)experts who can be called upon for technical help or guidance when a special need arises. However, these special skills are not our main focus, which is to highlight the basic skills for incident handling staff.