Building a fully operational cyber incident response team

Culture & performance


cyber incident response team






The majority of businesses out there haven’t yet got round to exploring one of the final frontiers of cyber security: incident response. While most have neatly written-up policies and the proper cyber security technologies, many companies are ill-equipped to handle an unexpected security incident. Then, when something does arise out of the blue (which it always eventually will) these companies are left looking like a deer caught in the headlights.


A lack of foresight and lack of preparedness in general has resulted in the emergence of a rather worrying kind of “wing it” attitude in many firms. This problem is compounded by the fact that many IT and security teams lack clearly defined goals as executive management and board members are too disconnected from the world of security to provide meaningful security leadership.


When things are ticking along as usual, management often wrongly assume that IT and security have everything under control. “We’ve made a significant investment in security so that should be the end of our worries – things will be be locked down and incidents shouldn’t occur, right?” Unfortunately, this line of thinking is not in line with the reality of cyber security.


On the other hand many security professionals believe they are fully prepared to respond to an incident and everything else that comes with it. While this may be true from a technical perspective, dealing with the people and business side of incident response requires a very different approach, calling on the skill sets of many different departments within the company.

So who should be included in a cyber incident response team?


What should a cyber incident response team look like? Well, security-related incidents are like any other type of business crisis. You need to place the right people in the right roles to execute a predeveloped plan that will minimise the impact on the business.


In a recent blog post, Digital Guardian outlined the diverse list of roles that should feature in all well-designed security programs. Their list is split in two sections – the core elements on the incident response team as well as much needed support from different non-technical departments.


The core of the Incident Response Team


  • Incident Response Manager: The incident response manager oversees and prioritises actions during the detection, analysis, and containment of an incident. They are also responsible for conveying the special requirements of high severity incidents to the rest of the company.


  • Security Analysts: The manager is supported by a team of security analysts that work directly with the affected network to research the time, location, and details of an incident. There are two types of analysts:
    • Triage Analysts: Filter out false positives and watch for potential intrusions.
    • Forensic Analysts: Recover key artifacts and maintain integrity of evidence to ensure a forensically sound investigation.


  • Threat Researchers: Threat researchers complement security analysts by providing threat intelligence and context for an incident. They are constantly combing the internet and identifying intelligence that may have been reported externally. Combining this information with company records of previous incidents, they build and maintain a database of internal intelligence.


Cross-departmental support


  • Management: Management buy-in is necessary for provision of resources, funding, staff, and time commitment for incident response planning and execution.
  • Human Resources: HR are required when an employee is discovered to be involved with an incident in some way.
  • Audit and Risk Management Specialists: These specialists help to develop threat metrics and vulnerability assessments while encouraging best practices across the organization.
  • General Counsel: An lawyer ensures that any evidence collected maintains its forensic value in the event that the company chooses to take legal action. They can also provide advice and guidance regarding liability issues when an incident affects customers, vendors, and/or the general public.
  • Public Relations: PR will communicate with team leaders, ensuring an accurate account of any issues is communicated to stockholders and the press.


Prevention is better than cure


Incident response planning should focus on prevention. This demands proactively monitoring for incidents before they occur. After an incident occurs, it involves proper containment and clean up. If a breach has impacted sensitive information it will likely require a formal investigation. The process and findings need to be communicated to all parties involved – which often includes the general public. Then there must be follow-up, adjustments and improvements, and ongoing oversight. Every single role is the above list is required to make these things happen.


Based on recent cases of significant data breaches, incident response always appears to be something of an afterthought right up until the moment of detection. It is then, and only then, that people bring their attention to the response procedures. Obviously this tends to be a case of too little, too late. It shouldn’t take the media and shareholders banging on the door to drum up interest in security. Seeking out security buy-in while scrambling around in the wake of a major incident is foolish to say the least. It may sound glib, but the best time to start building, testing and enhancing your incident response plan was years ago. The second best time is now.


Getting started


With time ticking ahead, if you haven’t already you should get started on incident response today. Review the list above and gather together the right people to update your existing plan. Get all involved parties engaged in the discussion to hear their thoughts on how the new strategy will impact them. This should provide an opportunity to preempt and iron out and potential problems during the planning phase. The end goal should be to maximise the chances of things going according to plan during a real-life incident.


In a way it’s a bit like how the police or military train to handle physical attacks in the real-world. It takes a lot of practice and rehearsal. Your new strategy shouldn’t be simply put to one side and forgotten about after the planning phase is over. The message needs to be continually reinforced to all those involved.


While we have given a general overview here, there is no strict formula for success in incident response. The team you construct should be made up of the people who are the best fit for your organisation’s needs. Just make sure the scope of the team extends beyond IT and security departments. Don’t sit back and wait until you are forced to change. Having a solid cyber incident response team will make a huge difference in your efforts not if, but when, the major incident occurs. Discover why we’re different than other IT recruitment agencies.


Discuss this post in Venturi’s Voice Slack Group


Browse our latest cyber security jobs