An interview with CEO Chris Gibson, an industry leader in incident response

FIRST is the global leader in incident response. FIRST membership enables incident response teams to respond to security incidents more effectively, both reactively and proactively. Pulse 2.0 interviewed FIRST CEO Chris Gibson to find out more.

Chris Gibson’s background

What is Chris Gibson’s background? Gibson said:

“Before leading FIRST, I worked for over 12 years in the Computer Emergency Response Team (CERT) at Citigroup. In 2013, I moved to the UK Cabinet Office to build, launch and lead the UK’s first officially accredited national CERT – CERT-UK. The organisation’s creation was part of the UK Government’s 2011 Cybersecurity Strategy.”

“I joined FIRST as Managing Director in 2019. FIRST is an organization I have been involved with since 2001 and the opportunity to work there full-time was just too good to pass up.

“FIRST (Forum of Incident Response and Security Teams) is a leading organization and recognized global leader in incident response. Our mission is to promote collaboration and coordination in incident prevention, stimulate rapid response to incidents, and encourage information sharing among members and the community at large.”

FIRSTCon details

What is FIRSTCon and why is it important for global cybersecurity? Gibson shared:

“FIRSTCon is our annual security event that serves as a critical platform for the global technology community to share goals, ideas and information on all aspects of incident response and security. In today’s world, it is critical for all of us to protect critical national infrastructure (CNI) and improve cybersecurity worldwide. FIRSTCon facilitates collaboration between countries, incident response and security teams, helping them build trust, share information and develop coordinated strategies to address global cyber threats.”

“The event is particularly important because it brings together cybersecurity experts from different sectors and countries, enabling a comprehensive exchange of knowledge and best practices. This global perspective is crucial in today’s interconnected digital landscape where threats often cross national borders.”

Securing critical national infrastructures (CNI)

How can countries work together more effectively to secure critical national infrastructure (CNI)? Gibson emphasized

“Effective cooperation between countries involves several important steps:

1. Arrange regular, frequent meetings to share knowledge about potential threats and defense strategies.
2. Conduct joint training exercises and simulations to develop coordinated defense strategies.
3. Create a framework for sharing threat intelligence between government agencies and the private sector.
4. Implement formal information sharing agreements or memoranda of understanding (MOUs) to address legal and confidentiality concerns.
5. Develop clear rules and accountability measures for public and private entities involved in protecting CNI.
6. Foster trust and build informal networks among international cybersecurity experts to enable rapid information sharing and faster incident response.

This global knowledge sharing improves cyber threat detection and reduces overall online risk. It is important to recognize that many online threats know no borders – an attack that hits one country could easily harm another.”

The role of AI in cybersecurity

What role does AI play in cybersecurity and what challenges does it bring? Gibson noted:

“AI has a twofold impact on cybersecurity. On the positive side, it can predict attacker behavior, assist with threat modeling, and automate responses to security events through approaches such as SOAR (Security Orchestration, Automation and Response).”

“However, AI can also have biases due to training data sets and algorithms that potentially lead to unfair or irresponsible decisions. This highlights the need for careful governance and diverse perspectives when developing and implementing AI.”

“As highlighted at this year’s FIRSTCON24, multi-stakeholder collaboration in AI governance is critical to ensure the safety, ethics and societal benefits of AI technology. Incorporating diverse perspectives helps address potential biases and unfair decisions that can arise from AI systems.”

Improving communication with management

How can cybersecurity teams improve communication with senior leadership? Gibson explained:

“To improve communication with leadership, cybersecurity teams should focus on translating technical information into clear, concise text. Rather than relying solely on industry-standard metrics such as TTD, TTA, TTM, and TTR, teams should develop measurable standards that effectively highlight the successes and resource requirements of their incident response programs.”

“Merisa Lee of Cisco Meraki believes that by providing clear and concise information to senior management using measurable standards, you can effectively demonstrate where your incident response program is succeeding and where you need more budget or resources to improve your program.”

CACAO method

What is the CACAO method and how can it improve information sharing in cybersecurity? Gibson explained:

“CACAO (Collaborative Automated Course of Action Operations) is a methodology that provides a common, repeatable framework for sharing and executing defense plans across technological and organizational boundaries. It overcomes the limitations of current playbook-based workflow orchestration by enabling better information sharing.”

“As presented at FIRSTCON24, CACAO ensures that all teams within an organization have access to the same threat intelligence and defense plans, improving overall coordination and response effectiveness.”

Protection of the CNI

How can the public and private sectors work together to protect CNI? Gibson responded:

“Cooperation between the public and private sectors can be improved by:

1. Establish a framework for sharing threat intelligence.
2. Creating channels for exchanging information and building trust between sectors.
3. Leveraging private sector expertise and resources to complement government efforts.
4. Conducting joint training exercises and simulations.
5. Develop clear accountability measures and rules for both public and private entities.”

“This collaboration enables faster implementation of security measures and more robust defense against cyber threats.”

Always one step ahead of evolving cyber threats

What are the key steps to stay ahead of evolving cyber threats? Gibson reiterated:

“To stay ahead of evolving cyber threats, a multi-faceted approach is required:

1. Provide easier access to threat intelligence across borders and sectors.
2. Promote cooperation between countries and organizations.
3. Use information sharing in defense strategies, for example by implementing the CACAO method.
4. Improve communication between technical teams and leadership.
5. Establish clear accountability measures.
6. Continuously adapt and learn from global cybersecurity events like FIRSTCon.
7. Invest in AI and machine learning technologies while ensuring responsible corporate governance.
8. Conduct joint training exercises and simulations regularly.
9. Establish and maintain formal information sharing agreements.
10. Stay up to date on new threats and technologies through ongoing education and participation in global security forums.”

“By implementing these strategies, organizations and countries can better anticipate and respond to emerging cyber threats, ultimately strengthening the global cybersecurity posture.”

Learn more about FIRST

Where can people learn more about FIRST? Gibson concluded:

“Visit First.org, listen to the FIRST Impressions podcast, and connect with us on social media via GitHub, LinkedIn, Mastodon, Meta, X and YouTube.”