Halkyn Security Blog
Specialist Security & Risk Management Consultants

Incident Response – 5 key stakeholder groups

Incident Response - Your team cant function in a vacuum.

Incident Response – Your team cant function in a vacuum.

Incident response is a vital component of every organisations security. It provides the safety net for when the inevitable happens and other controls fail. A good incident response team will also have subject matter experts who can guide your entire organisation’s security strategy.

If you take security even slightly seriously, you will have an incident response team. Often called a “CSIRT,” but you may use other titles like SIRT, IRT or CERT. Ideally, you’ve put your technical expertise here so that they can respond to incident across the board. You’ve manned it properly so the team have resources to deal with the volume of incidents you face and you’ve given them the tools to detect, confirm, investigate and contain incidents in a timely manner.

If you’ve done all this, you’ve done well and your response will be pretty good.

However, even the best CSIRT team needs help. Your handlers may be experts but you want them spending time on incidents, not constantly refreshing their knowledge of the ins and outs of your environment.

You can solve this by making sure they interact with key stakeholders in your business.

5 Key Stakeholders for Incident Response

Every organisation is different. However, your CSIRT must find a way to engage with the equivalents of the following groups:

  1. IT Services.  Your incident response team need to establish solid relationships with all the key parts of your IT Services organisation. Internally, this includes networking, database teams and developers. Externally you need to include hosting providers and service providers. This is the most crucial relationship they can have.
  2. Security Management. You need more than a CSIRT. The incident responders can be expected to own every aspect of security. You need to ensure they have a route to engage other parts of security and especially security management / leadership teams.
  3. Legal. Incidents open the door for lots of legal considerations. You need to make decisions about what to report and how significant an event may be. Your incident responders should be technical experts, not legal experts. This means your handers must have a way of seeking guidance from real lawyers. Ignore legal at your peril.
  4. Human Resources. Users are a frequent cause of security incidents. Your incident response team need to be able to handle these in the correct way. To enable this, the CSIRT need to engage with HR. Ideally, there will be regular links to ensure compliance and an ad-hoc link when an incident happens. As with legal, ignore HR at your peril.
  5. Public Relations. Incidents can go public with very little warning. No one wants to make the Talk Talk mistake with a CEO talking faster than your incident response team can work. It is vital that your incident response guys engage with PR before and during incidents. Your PR team are experts in making sure the incident response message is the right one. If you need to go public and there is no link between incident response and PR, you will feel pain. Lots of pain.

Incident Response Communications

So, you know it makes sense to engage, but how can you do it?

Step 1: Identify the right people. Find or nominate key individuals within the stakeholder groups. These do not need to be security experts, but they need to be aware of the incident response team’s existence. Make them aware of their duties – normally act as a support point for any incident activity.

Step 2: Set up regular security cadence meetings. People forget things. You can minimise this with a regular meeting between all the stakeholders. You can use this to drive improvements, review previous incidents or just remind everyone.

Step 3: Incident Response Escalations. Your team is in-flight with an incident, have them set up pro-active alerting. Don’t call everyone, every time, but your handlers need to be planning ahead. Your incident response team need to be warming up key contacts so when they have to press the button, it doesn’t shock anyone.

Incident Response Really Matters!

Brighton Bombing 1984 - IRA

Brighton Bombing 1984 – IRA

No matter how good your security is, there will be a time when it fails. An attacker will get through.

This doesn’t mean you should ignore other controls. It doesn’t mean you should give up hope.

However, it does mean you need to have a plan B. A good incident response team gives you this plan B.

Your incident response team need your security controls. They need your logs. They need tools to contain incidents. They need skills and knowledge.

When they have all this, the need engagement with others!

With all this, you make it less likely the attackers will “get lucky.”

Similar posts
  • Memory analysis in incident response ... Incident response is often a stressful, high-pressure situation. Responders are desperately trying to claw together information. All around them the world is collapsing. Furthermore, everything important seems to be deleted or obfuscated. Yet it is not all doom and gloom. They have memory analysis. Life can be hard for the incident responder. You are faced [...]
  • Checklist or your memory, is one bett... Quite rightly, security professionals are proud of how much information they hold in their heads. There is no doubt that to be effective you need to have immediate access to lots of different concepts. However, the really effective ones also have a checklist. First off – the problem. Lots of certificate exams are memory tests and [...]
  • Threat Hunting – essential for ... Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake. Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an [...]
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]

1 Comment

  1. Akter Akter
    8 December 2015    



    I just checked your Compliance audit checklist for ISO 27001 in your website and found very helpful. Can you please send me an unprotected version of this? Email: [email protected]

    Thank you

%d bloggers like this: