Halkyn Security Blog
Specialist Security & Risk Management Consultants

Incident Response – 5 key stakeholder groups

Incident Response - Your team cant function in a vacuum.

Incident Response – Your team cant function in a vacuum.

Incident response is a vital component of every organisations security. It provides the safety net for when the inevitable happens and other controls fail. A good incident response team will also have subject matter experts who can guide your entire organisation’s security strategy.

If you take security even slightly seriously, you will have an incident response team. Often called a “CSIRT,” but you may use other titles like SIRT, IRT or CERT. Ideally, you’ve put your technical expertise here so that they can respond to incident across the board. You’ve manned it properly so the team have resources to deal with the volume of incidents you face and you’ve given them the tools to detect, confirm, investigate and contain incidents in a timely manner.

If you’ve done all this, you’ve done well and your response will be pretty good.

However, even the best CSIRT team needs help. Your handlers may be experts but you want them spending time on incidents, not constantly refreshing their knowledge of the ins and outs of your environment.

You can solve this by making sure they interact with key stakeholders in your business.

5 Key Stakeholders for Incident Response

Every organisation is different. However, your CSIRT must find a way to engage with the equivalents of the following groups:

  1. IT Services.  Your incident response team need to establish solid relationships with all the key parts of your IT Services organisation. Internally, this includes networking, database teams and developers. Externally you need to include hosting providers and service providers. This is the most crucial relationship they can have.
  2. Security Management. You need more than a CSIRT. The incident responders can be expected to own every aspect of security. You need to ensure they have a route to engage other parts of security and especially security management / leadership teams.
  3. Legal. Incidents open the door for lots of legal considerations. You need to make decisions about what to report and how significant an event may be. Your incident responders should be technical experts, not legal experts. This means your handers must have a way of seeking guidance from real lawyers. Ignore legal at your peril.
  4. Human Resources. Users are a frequent cause of security incidents. Your incident response team need to be able to handle these in the correct way. To enable this, the CSIRT need to engage with HR. Ideally, there will be regular links to ensure compliance and an ad-hoc link when an incident happens. As with legal, ignore HR at your peril.
  5. Public Relations. Incidents can go public with very little warning. No one wants to make the Talk Talk mistake with a CEO talking faster than your incident response team can work. It is vital that your incident response guys engage with PR before and during incidents. Your PR team are experts in making sure the incident response message is the right one. If you need to go public and there is no link between incident response and PR, you will feel pain. Lots of pain.

Incident Response Communications

So, you know it makes sense to engage, but how can you do it?

Step 1: Identify the right people. Find or nominate key individuals within the stakeholder groups. These do not need to be security experts, but they need to be aware of the incident response team’s existence. Make them aware of their duties – normally act as a support point for any incident activity.

Step 2: Set up regular security cadence meetings. People forget things. You can minimise this with a regular meeting between all the stakeholders. You can use this to drive improvements, review previous incidents or just remind everyone.

Step 3: Incident Response Escalations. Your team is in-flight with an incident, have them set up pro-active alerting. Don’t call everyone, every time, but your handlers need to be planning ahead. Your incident response team need to be warming up key contacts so when they have to press the button, it doesn’t shock anyone.

Incident Response Really Matters!

Brighton Bombing 1984 - IRA

Brighton Bombing 1984 – IRA

No matter how good your security is, there will be a time when it fails. An attacker will get through.

This doesn’t mean you should ignore other controls. It doesn’t mean you should give up hope.

However, it does mean you need to have a plan B. A good incident response team gives you this plan B.

Your incident response team need your security controls. They need your logs. They need tools to contain incidents. They need skills and knowledge.

When they have all this, the need engagement with others!

With all this, you make it less likely the attackers will “get lucky.”

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]

Recent Tweets Recent Tweets