Becoming a FIRST.org Member with Terry MacDonald

Terry MacDonald
Terry MacDonald
Co-founder & COO
Tash Postolovski
Tash Postolovski
Technical Marketing Manager
Becoming a FIRST.org Member with Terry MacDonald
December 10, 2025

TRANSCRIPT

[00:00:00] Tash Postolovski: Hey. I'm Tash, and I'm the marketing manager at Cosive.

[00:00:03] Terry MacDonald: I'm Terry MacDonald. I'm Chief Operating Officer and Principal Security Consultant at Cosive.

[00:00:08] Tash Postolovski: Alright, Terry. So today, we're gonna talk a little bit about FIRST membership. What is it? Why might you want to become a member? What does the membership process involve? How can you make the most of your membership if you get it? And options for getting help with the process of applying to become a member. So to start with, we're talking about FIRST.org, so that's the Forum of Incident Response and Security Teams. Tell us a little bit about what FIRST is for those who haven't heard of it before.

[00:00:40] Terry MacDonald: Yeah. So it it's evolved from being a, yeah, simple threat intel sharing group to more of a community that allows you to level up your cybersecurity. They have an annual conference that's really good, a main conference. There's many thousands of people turn up for it, and it's very, very good talks. It's hosted in locations all around the world. But they also have technical colloquiums, I think that's what they're called, where effectively there's sort of subgroups that are more specialized that work together to try and improve the technology and techniques and processes within a certain area of cybersecurity. So one that we've been to a few times is the CTI Technical Colloquium, and that has now turned into a conference in its own right and actually gets quite a few people there. You learn a lot being a member of it.

[00:01:39] Tash Postolovski: What kinds of teams are eligible to join FIRST, and does team size matter or make a difference? Could one person join?

[00:01:48] Terry MacDonald: There's different types of teams that do join. Most commonly, they are the Incident Response functions, the CSIRTs of different organizations. But product certs as well, the people who are who are trying to defend their products against attack also join as well. It's typically security teams that join, but they have different levels of membership now, which they never used to have. There's the FIRST liaisons, which is what I am. That's for individuals who want to join, who aren't part of security team, but are able to provide value to FIRST and its members. But with with all of these things, you get the ability to be part of the community, get the ability to attend the conferences, which, as I mentioned before, are really good, and to participate in the communication in the community to you end up learning learning some really good things from the membership.

[00:02:46] Tash Postolovski: And can you talk us through what the membership process involves, sort of from start to finish? Because there's a fair few steps to applying, isn't there?

[00:02:55] Terry MacDonald: There are. I mean, one of the most important things is making sure that you actually have the right level of documentation and the right level of authority and mandate within your organization. FIRST have a measurement process called SIM3. It's a maturity assessment framework for Security Operations Centers, and they use that for making sure that your organization is at the right level to join. The first step generally is doing a SIM3 assessment to figure out whether where your gaps are, then you have to address those gaps. Then you have to find two sponsor organizations. So that's two existing FIRST members who you know who know you well enough to sponsor you to join the FIRST organization. Once you've done that, one of them the sponsors, the primary sponsor, then has to actually visit your site. And they have to see your documentation, and they have to check that your organization is doing what that minimum level is. And then they have to generate a report for your organization, and they sign it, and you then submit that along with a letter of reference from your second sponsor. That then goes to the secretariat at the at first, and then that's then sent to the first board who then review it, check that it's up to the standards they expect from first member, and then hopefully, you get through at that point. So it's a process that can take four to six months, really, from when you start it to when you actually become a member.

[00:04:46] Tash Postolovski: Yeah. Okay. So it's quite an involved process, and you sort of have to prove that you have a certain level of maturity in your operations, it sounds like. Do you find that it's kind of a good forcing function for teams wanting to uplift as well, like to have that aspirational goal of first membership there?


[00:05:04] Terry MacDonald: Definitely. It's interesting. We deal with a lot of different security operations centers and intelligence teams globally, and it's very interesting to see what bits are missing in many teams. There's been some very, very high quality teams that are doing quite advanced work, and yet they don't have a charter document that's being defined, that's been mandated and approved by the board or by the senior leadership team. And it's those sorts of things that the the FIRST review is really good at highlighting and allowing you to fix so that you actually have the, I guess, legal backup to prove that you are allowed to act on behalf of the organization that you're working for. Yeah. It's it's really quite interesting seeing the different levels of maturity across the spectrum.

[00:05:56] Tash Postolovski: Sponsors seem to play a pretty big role in joining FIRST. How does a team find sponsors to work with them, and why are they so important?

[00:06:06] Terry MacDonald: That's probably the trickiest part of doing a FIRST application, is getting to know the security teams. If your organization is new or there's people in there who haven't spent a long period of time building up international networks of cybersecurity peers, then you might find it quite difficult. FIRST can put you in contact with other members and give you the ability to do your own reach outs with those, but it is really quite tricky. I think that's something that we offer that's probably makes things a bit easier for people who do the application through us is we have extensive worldwide networks of people that were built up over time, and it just makes it easier for especially people who are in the Asia Pacific region because of the contacts we have. There's generally always someone that we know who we can reach out to and go, I've got this customer. They really are interested in being a member. Would you be able to do something to help them out?

[00:07:05] Tash Postolovski: And on that note, I mean, it sounds like one area where teams could struggle with considering joining FIRST is not knowing the sponsors who are required to get them there. Are there any other common roadblocks that teams might face when they start thinking about joining FIRST?

[00:07:21] Terry MacDonald: One thing about FIRST that I think is really important to note is the fact that you don't have to be an absolutely rock star organization in order to join. There's no requirement for you to have be doing advanced threat hunting or have CTI or anything like those those level of things. You just have to do the basics, and you have to do them well. And the SIM3 maturity review helps you figure out where you sit those key areas. So that's one thing. And I guess another thing is that it's not too onerous on an organization to actually apply. It's a long elapsed time, but the amount of work that you actually have to do generally isn't that that much.

But knowing what to do and to what level, I think, certainly helps. If if an organization was doing it on its own at the start, it's going to be quite daunting in knowing that you're doing the application in the right order, in the right way, that you've got your sponsors put together, that that they're informed of what level of requirement they have to go down, how in-depth they have to go down to when reviewing the documentation. A lot of it's really yeah. It's important to not overbake things. I think that's one thing that we're quite good at doing.

[00:08:49] Tash Postolovski: Walk us through if Cosive does work with an organization to help them get FIRST membership, what does that process look like? How would how would you work with an organization on that?

[00:09:00] Terry MacDonald: Well, often organizations want a bit of a gap analysis done of their whole organization, which is something that we do. That sort of allows us to find gaps at a a bigger scale, at a wider scale than than we were just doing a FIRST application. We have done first applications just on their own. And for organizations that we do that for, we typically do that SIM3 as a gap analysis and sort of figure out, okay, based on the first baseline requirements, where are the gaps? And there's a nice spider diagram that some of the tooling that we have generates that sort of shows you, okay, where are we compared to where we need to be? And it highlights where the gaps are in red, and it makes it nice and easy follow and understand. And as part of the report that we generate, it also shows this is your priority. These are the things you need to get fixed. In most organizations, there's only a few, maybe three or four. And as I mentioned, it's generally related to the charter and whether they've got authority from the organization, whether it's been actually documented as well as another one. Because a lot of organizations have thought about this, but no one's written it down anywhere, and it's not actually been signed off formally. So that's often the thing that takes takes the longest in the whole process, to be honest, is getting the paperwork done to correct all of those and getting that through senior management.

Once that happens, then the next step generally is organizing the site visits and the sponsors. Once that's all locked down, then it's actually executing on the site visits and getting the sponsor, the primary sponsor, to do the site report. And then once that's finished, then we sit down with the organization and do the actual submission. And it pretty much takes a month after that of elapsed time, and then they'll be issued, hopefully, with their first membership.

[00:10:59] Tash Postolovski: Let's say an organization gets their first membership, they'll celebrate at first, and then how do you suggest organizations can really make the most and get the full benefit out of being FIRST members?

[00:11:13] Terry MacDonald: I would suggest, number one, is to send at least one person to each FIRST conference around the world. It's such a great meeting place and great for networking, and everyone who attends really wants to meet new people. It's extremely welcoming, and the contacts that you make end up being lifelong. It means that when something happens and you see it overseas, you also get access to a rolodex of phone numbers of all of these important organizations, and you can reach out to them and go, oh, what do you know about this? Has it been affecting your region? So you can often get pre-warning of attacks that are likely to happen in our region. And so that's one really important point that that definitely helps.

There's also MISP servers that you can get access to. A lot of these organizations have quite good cyber threat intelligence teams, and they generate their own content based on what they're seeing. And then they provide that content free of charge to other FIRST members. And as part of that, you get access as part of being a member, you get access to that. And that's very, very beneficial. And, of course, if an organization doesn't have a MISP server, then that's a service that Cosive offers as well. We do a a SaaS version of MISP. Because we worked with the cyber threat intelligence sharing network in Australia and helped the Australian government form that, we we recognized as part of that that there was a gap in the market where people weren't able to run this very easily. So that's one of the services that we offer, is to make that pain go away for people. That's what we do at Cosive, it's all about taking away people's pain.

[00:12:55] Tash Postolovski: And if somebody is really early on in the journey of just starting to think about embarking on FIRST membership, maybe bringing in a partner to help with the process, How can they get buy in from people like the CISO or the board on the value of undertaking this effort to get FIRST membership?

[00:13:16] Terry MacDonald: Yeah. It's interesting. Historically, this has been a real challenge for organizations because it's an additional cost. If you're to get the real benefit out of it, someone has to go to a different country, to a conference every so often, to build up that that network. And it's there's not necessarily a direct benefit that's easily quantifiable. With that said, having the ability to get cyber threat intel into your organization is something that a lot of certifications and things like PCI DSS and some other company wide certifications now require you to have that functionality within them, that you actually are able to consume and make use of threat intel, and that you have relationships with other third parties. Because I I think as an industry we recognize that it's really important to learn from the mistakes of others, to act as a herd, like, kinda like the Zebras against all the lions. It's the same sort of thing. If we work together, then we have a better chance of defending ourselves.

I think talking to the C-suite about how working as a group, as a community, we can all take advantage of others' learnings and then apply them to ourselves to lower our risk profile to reduce the likelihood of attacks actually affecting us is is really where the power comes from. Part of the issue is it's not a quick and succinct story, And what we find is that organizations often have to sort of take a multistage approach to going on this journey. Initially, just sort of sort of just doing the basics of incident response and maybe begin to do a little bit of pulling an open source threat intelligence and then beginning to have relationships with other organizations in a similar industry within your country. And then once you see benefits and can show those benefits, then branching out and beginning to look at an international organization's life first.

[00:15:19] Tash Postolovski: Great. Thanks, Terry. We'll wrap up, but if people are interested in working with Cosive on getting FIRST membership, what should they do?

[00:15:28] Terry MacDonald: They can reach out on our website if they want to, send something in there, or they if they really want to, they can send an email to hello@cosive.com, and one of our team will answer.

Related posts

Browse all articles
February 21, 2024

Running Your SOC Playbooks as Code: Use Cases, a.k.a. Don’t Start With Phishing

The first thing that everyone wants to do when they get their brand new SOAR out of the shrinkwrap is solve phishing. I hate to be the one to break it to you, but if we were going to solve phishing, there wouldn’t be six or so anti-phishing vendors out there right now. (Technically malware was the first computer security problem that we struck, with the Morris worm, but in terms of things that face regular users, phishing is the first problem. Paul Graham first started applying bayesian analytics and machine learning to this stuff in the 90s, or something crazy, and we still haven’t solved it yet.)

February 21, 2024

Episode #006: Securing Medical Devices with Emily Etchell

Ever wondered how medical devices like pacemakers, ventilators, and cochlear implants are protected from threat actors? Emily Etchell is a Security Consultant at Cosive. Previously, Emily worked for Australia's Therapeutic Goods Administration (TGA), focusing on how medical devices can be kept safe from malicious actors. Emily shares her experiences in this podcast, explaining some of the challenges involved with securing medical devices, and how they're currently being overcome.