FIRST Strategy Framework

Introduction

FIRST is the Forum of Incident Response and Security Teams. The idea of FIRST goes back until 1989, only one year after the CERT(r) Coordination Center was created after the infamous Morris worm. Back then incidents already were impacting not only one closed user group or organization, but any number of networks interconnected by the Internet.

It was clear from then on that information exchange and cooperation on issues of mutual interest like new vulnerabilities or wide ranging attacks - especially on core systems like the Domain Name System or the Internet as a critical infrastructure itself - were the key issues for security and incident response teams.

Since 1990, when FIRST was founded, its members have resolved an almost continuous stream of security-related attacks and incidents including handling thousands of security vulnerabilities affecting nearly all of the millions of computer systems and networks throughout the world connected by the ever growing Internet. FIRST brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors.

FIRST has grown from five members in one single country (the United States) in 1990, to 165 liaisons and 762 teams from 111 countries, as of the date this document was written. Today, there are 26 special interest groups at FIRST, and many initiatives focused on topics like Diversity and Inclusion, Victim Notification, IR (Incident Response) Database, Malware Information Sharing Platform (MISP), the Incident Response Hall of Fame, the Suguru Yamaguchi Fellowship Program, among plenty others.

FIRST Membership Growth up to 2024

Since its founding, FIRST evolved from a loose association run by volunteers into a structured organization with several staff members and a multi-million-dollar budget. As part of the growth and maturing of the organization, the work on strategic planning that the Board of Directors and the corporate Officers have performed in the past will be enhanced and strengthened. This will allow FIRST to address internal and external challenges that threaten to hinder its ability to effectively achieve its mission and solidify its role as a global leader in cybersecurity and incident response. FIRST operates within a rapidly evolving cybersecurity landscape, facing competition from similar organizations and needing to adapt to emerging trends and technologies.

A three-year Strategic Plan will provide a framework for enhancing member value, expanding global reach and diversity, and ensuring long-term financial sustainability. Through it, FIRST can leverage its strengths, such as its respected brand and global network, to solidify its position as the premier organization for incident response and security.

FIRST’s Vision and Mission Statement

Strategic Alignment

FIRST's Strategic Plan will be aligned with its Vision and Mission Statement. This alignment is crucial for providing a unified direction for the organization, ensuring that all its activities – from member services to governance and policy engagement – directly contribute to achieving its overarching goals. Without this alignment, FIRST risks becoming fragmented in its efforts, pursuing disparate initiatives that may not effectively address the evolving cybersecurity landscape. Aligning the Strategic Plan with FIRST's mission to be a trusted source of information and thought leadership necessitates a concerted effort to enhance its global visibility, engage with policymakers, and produce high-quality research and publications.

By strategically aligning its Plan with its vision and mission, FIRST can leverage its strengths, address its weaknesses, and position itself for long-term success as the globally recognized leader in the field of incident response and cybersecurity.

Vision

FIRST aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all.

Effective response is a global task, mirroring the global nature of the internet. Based on a peer to peer network governance model, Computer Security Incident Response Teams (CSIRTs), Product Security Incident Response Teams (PSIRTs) and independent security researchers work together to limit the damage of security incidents. This requires a high level of trust; the fuel our members run on. FIRST fosters trust building among members through a variety of activities. Incidents are not confined to one cultural or political corner of the internet, nor do they respect borders or boundaries. FIRST thus promotes inclusiveness, inviting membership from all geographic and cultural regions.

Mission

Global Coordination - You can always find the team and information you need: FIRST provides platforms, means and tools for incident responders to always find the right partner and to collaborate efficiently. This implies that FIRST’s reach is global. We aspire to have members from every country and culture.

Global Language - Incident responders around the world speak the same language and understand each other’s intents and methods: During an incident it is important that people have a common understanding and enough maturity to react in a fast and efficient manner. FIRST supports teams through training opportunities to grow and mature. FIRST also supports initiatives to develop common means of data transfer to enable machine to machine communication.

Policy and Governance - Make sure others understand what we do, and enable us rather than limit us: FIRST members do not work in isolation, but are part of a larger system. FIRST engages with relevant stakeholders, in technical and non-technical communities, to ensure teams can work in an environment that is conducive to their goals.

Strategic Planning at FIRST

It is a fundamental part of governance at FIRST and is the first part of a structured planning process, followed by the creation and implementation of a Three-Year Operating Plan, for which an Annual Budget and Operational Plan are defined. The Strategic Plan is updated every three years, while the Three-Year Operating Plan, as well as the Annual Budget and Operating Plan, are updated every year. Each year concludes with an Achievement and Progress report through which the Board of Directors and the Chief Executive Officer and Executive Director communicate performance metrics in support of transparency and accountability.

Strategic Planning at FIRST
	Duration	Updated Every
Strategic Plan	Three years	Three years
Three-Year Operating and Financial Plan	Three years	Year
Budget and Operational Plan	One year	Year
Achievement and Progress Report	One year	Year

As a maturing organization, during the first calendar semester of 2025 the FIRST Board of Directors, along with the Chief Executive Officer and Executive Director, will use this Strategic Plan as the basis to produce the first Three-Year Operating Plan, both of which will in turn be the basis going forward for the Annual Budget and Operational Plan. For clarity, FIRST produces an annual budget which will be based on the Strategic Plan, the Three-Year Operating Plan, and will be part of the yearly operational plan.

Next Steps: From Strategy to Operations

3-Year Operating Plan

Defining the Strategic Plan is a crucial first step. The next stage involves developing a three-year Operating Plan to translate the strategic objectives and goals into actionable steps, so that the expected outcomes can be achieved while the corresponding risks are mitigated. This Operating Plan outlines:

Specific activities: Always aiming at achieving the Vision and Mission Statement as well as the five Strategic Objectives outlined above in Section III. This is the breakdown of each strategic objective into smaller, manageable tasks.
Timeline: A clearly defined timeframe for each activity, including start and end dates.
Responsibilities: Assigned ownership of each activity to specific individuals or teams within FIRST.
Resources: Resources needed for each activity, like budget, personnel, or technology.
Metrics: Key performance indicators (KPIs) to measure progress and success for each activity and objective. Conclusions

This three-year Strategic Plan provides a framework for FIRST to strengthen its position as the global leader in security and incident response. By focusing on global recognition and trust, member value creation, development and education, becoming a source of expertise and information, and ensuring effective governance and financial resilience, FIRST can continue to advance its mission and support the evolving needs of the cybersecurity community.

The success of this plan depends on the commitment and collaboration of FIRST's Board of Directors, staff, members, and partners. By working together, FIRST can navigate the complex and ever-changing cybersecurity landscape and contribute to a safer and more secure online environment for all.