In a world where enterprises are embracing the fact that breaches are not a matter of \u2018if, but when,\u2019 it is becoming increasingly important to develop internal and external resources to investigate and oversee the impact of attacks after they have happened.Digital forensics is a relatively recent skills concentration\u2014one that does not necessarily require the same talents, expertise or background as other cybersecurity positions. And while more enterprises are recognizing that they need such talent on the back-end, as it were, there are still holdouts that are entirely focused on detection and prevention, to their detriment.\u201cI think this is actually a misconception [that] organizations do not necessarily need to build out digital forensics teams in-house,\u201d says Sean Mason, director of incident response for Cisco Security Services, adding that Cisco is building out its ownforensic capability via its incident response services team. A key problem, Mason says, is \u201cthere is not enough talent to go around and, generally speaking, most organizations don\u2019t have enough demand to require a full-time team on staff.\u201dMunish Walther-Puri, chief research officer at dark web\u00a0monitoring company Terbium Labs, points out that digital forensics requires a combination of \u201cinvestigation, intelligence, and innovation.\u201dDigital forensics teams are a complement to any IT team \u201cbecause they figure out the who, when, when, where and why a bad actor came into the system, says Avani Desai, president of audit and accounting firm Schellman & Co. \u201cThey help paint a picture of the incident and provide guidance on how to mitigate the risk of that happening again.\u201d The forensics teams also take past data and processes and builds upon it to make sure they have the tools to handle issues that are getting significantly tougher to solve, Desai adds.Darien Kindlund, vice president of technology for Insight Engines, a provider of natural language search technology, points out that digital forensics is \u201can important pillar in any security operations team, in order to assess and understand tools, tactics, and procedures (TTPs) used by attackers to compromise a firm.\u00a0That way, the firm can stop future breaches using these same TTPs by new attackers.\u00a0A firm\u2019s ability to understand how these attacks work is directly tied to how effective their digital forensics team is.\u201dThinking differently for forensicsDigital forensics employees are often lumped in with cybersecurity personnel in general\u2014but the skill set and expertise required is typically very different. Being part of the digital forensics team means working with a large subset of the organization, such as human resources, IT, legal, compliance and operations, according to Desai. \u201cThey need to have strong interpersonal skills, as tension is often high during an incident or breach response,\u201d Desai says. \u201cAs with any highly analytical job, the forensics team must have high attention to detail, focus on a methodological approach and execution, and have a determined approach \u2013 no stone can go unturned.\u201d \u00a0\u00a0In addition, digital forensics team members need to \u201cunderstand the ever-evolving environment of cybersecurity and how changes and new malware\u00a0will affect the systems, which means they have to have a keen desire to learn and adapt to changes,\u201d Desai says.Digital forensics may not be as flashy as other cybersecurity positions\u2014it is an \u201cunconventional\u201d IT security job, according to Desai. \u201cBut the skills of analytical thinking, attention to detail, solving puzzles are exciting and the earlier exposure the easier it will be to have a pipeline in the next ten years.\u201dWalther-Puri agrees that the ideal digital forensics employee is \u201cdifferent than conventional IT talent, a digital forensics analyst must think in both a structured and non-linear fashion.\u201d For example, he says, investigation is about being methodical, but at the same time, tracking a cybercriminal requires creativity. \u201cBeyond thinking like the adversary, an analyst must be able to understand motivations and techniques with inspiration from criminology, economics, security, intelligence and psychology,\u201d Walther-Puri says.Key attributes of successful digital forensics analystsCurious. A digital forensics analyst must be a quick study of concepts, technologies, industries, and communities. A crucial ability is knowing how to stay on top of a topic, excelling at synthesizing multiple sources and tracking news, events and trends. When faced with an uncertainty, the analyst can figure out how to frame an approach.Analytical. Structured, critical thinkers who know how to apply methodology are essential. They\u2019ll be able to demonstrate the difference between an idea, a hypothesis, a piece of evidence and an insight. For a business audience, an analyst must know how to present evidence rigorously, without being too academic.Data Savvy. The successful analyst has a healthy appetite for data and can use it to analyze processes and identify patterns. Familiarity with quantitative thinking, basic statistics, and working with datasets is essential. Data is not magic, and the analyst excels at asking the right questions.\u2014 Munish Walther-PuriMason says \u201cforensicators,\u201d as he calls them, are generally going to have more of an investigative mind than anything else. \u201cAdditionally, given the data they need to examine and interpret, these are individuals with both a very deep and very broad understanding of IT and related infrastructure,\u201d he says. Similarly, Kindlund agrees that digital forensics teams need to \u201cunderstand deep internals of every operating system (OS) and application supported at their firm.\u00a0This is because attacker activity varies per target application and OS, and digital forensics teams need to extrapolate how identified activity may exist across the entire ecosystem of digital assets within a firm.\u201dIndeed, people with a more \u201cprocedural\u201d background and bent are typically a better fit for digital forensics in their investigation process and the demand to collect and maintain evidence, according to Ron Schlecht, managing partner of BTB Security Consulting. \u201cThat\u2019s what we\u2019ve seen to be most successful,\u201d Schlecht says, adding that these employees often come from a legal or law enforcement background, but still require technical training. The bottom line: They need to understand the \u201cdigital footprints we all leave behind, the aspects of a computer and how to pull it together,\u201d he says.Given the amount of collaboration the digital forensics team needs to conduct (externally and within the organization) with legal, compliance, law enforcement, IT and human resources, Desai points out that interpersonal skills and a broad understanding of these units is as important as the necessary technical skills commensurate with a digital breach investigation. \u201cThey need the ability to communicate in layman\u2019s terms,\u201d Desai says. \u201cThey need to communicate, they need to understand the chain of command, especially the legal aspect.\u201dBut, with an existing shortfall of nearly 3 million people to fill cybersecurity positions, according to a recent ISC(2) study, filling the growing number of even more demanding digital forensics positions will be challenging for enterprises. The skills gap for digital forensics teams \u201cmirrors the larger cybersecurity skills gap found across the world,\u201d according to Kindlund. \u201cMost firms focused on building great forensics teams foster these skills internally by hiring creative, technical thinkers and training staff to perform critical forensics skills among IT security personnel who are interested in learning more.\u201dThe ongoing acute shortage of cybersecurity skills makes attracting and retaining cybersecurity professionals with digital forensics skills a challenge, says Doug Cahill, group director and senior analyst for the Enterprise Strategy Group, Inc. \u201cCritical success factors for doing so go beyond compensation and include fostering a culture in which cybersecurity is a clear priority,\u201d he adds. \u201cThe opportunity to continue to learn and expand one\u2019s skill set, and access to advanced cybersecurity controls including endpoint detection and response controls are key.\u201dHow to attract, retain and groom digital forensics professionals1. Cross train employees in other areas. Exceptional thinkers in anti\u00ad-money laundering(AML) and compliance, creative corporate security analysts, and those who understand storytelling and statistics (audit, financial analysis, etc.) are all personas that can be trained in the skills required for digital forensics. Skills can be taught, while curiosity and creativity are much harder to impart.2. Build a culture of diversity.\u00a0If the mission and problem set attracts talent, culture is key to retention. Diversity \u2014 in background, experience, and skill set \u2014 will create a unique culture that people will think twice about leaving.3. Develop roles around solving problems, not functions or titles.\u00a0It\u2019s easy to give someone a title or assign them to a function, but the types of people that will fill those roles are apt to get bored or feel constrained. To develop personnel (both horizontally and vertically), shape the roles around the type of problem and scope (e.g., tactical\/operational, investigative\/analytical, reporting\/service delivery). People will continue to grow and groom colleagues\/junior team members if they can envision a trajectory for themselves.