How to build a cyber incident response team

Who will you call when your organisation has been compromised? Having a cyber incident response team ready to go can save your organisation from disaster.

There’s no escaping the threat of cyber security incidents. Crooks are constantly poised to exploit vulnerabilities and employees use complex IT systems where mistakes are bound to happen.

Investing in cyber defences can reduce those risks, but organisations need to be ready for threats they simply can’t prevent. A CIR (cyber incident response) plan does just that, outlining strategies for identifying and responding to security breaches.

An effective plan can quickly stop a disruption from turning into a disaster. But, of course, the plan itself is only half the equation; you also need a team to carry it out. In this blog, we explain the essential roles involved in CIR and how you can fill them.

Who should be on a CIR team?

  • A manager coordinates the CIR plan and puts together a team.
  • Group leaders oversee specific areas of the response plan.
  • Incident handlers are floor-level managers who advise the employees conducting the response.
  • Hotline, helpdesk or triage staff answer questions from stakeholders.
  • Artifact analysis staff review the function, architecture and design of software.
  • Platform specialists monitor and analyse the functionality of platforms and applications.
  • Trainers teach employees how to carry out the necessary steps in the CIR plan.

How to assemble the team

There are three ways an organisation can create its team:

  1. Internally resourced: The organisation assigns roles to its employees and conducts all incident response activities itself.
  2. Partially outsourced: The organisation hires a third party to oversee certain elements of its incident response activities, and lets its own employees cover all other aspects of the plan. For example, it could appoint experts to control the management aspects and use its employees for the technical aspects, or have hotline operators and helpdesk staff on retainer.
  3. Fully outsourced: The organisation subcontracts all elements of its incident response activities. A single third party might manage every aspect, or the organisation could appoint different specialists for each task.

How to get started?

Organisations usually prefer to internally resource or partially outsource their CIR team, because they are the cheapest options. However, this will only be possible if employees have an expert understanding of cyber incident response.

That’s rarely the case, but fortunately the framework isn’t too hard to grasp. Unlike many other cyber security best practices, CIR is based on a handful of principles that mostly requires organisational skills. The necessary technical expertise can be delegated to skilled employees or outsourced.

You can find out how to get started with your project by downloading Cyber incident response (CIR) management – An introduction. This free green paper explains:

  • The benefits of CIR;
  • Our recommended approach;
  • The importance of scenario development for CIR success; and
  • Best-practice guidance for establishing a CIR programme.