Building a cyber incident response team

Organisations are starting to acknowledge that it’s impossible to completely remove the threat of data breaches. You might be able to repel most incidents, but it’s important to have a CIR (cyber incident response) plan for the threats you can’t prevent.

Effective CIR management can help you detect breaches quicker and earlier, and develop a robust defence against attacks to potentially save your organisation millions.

But the plan itself is only half the equation; you also need a team to carry it out. In this blog, we explain the essential roles involved in CIR and how to fill them.


Who should be on a CIR team?

  • A manager coordinates the CIR plan and puts together the team.
  • Group leaders oversee specific areas of the response plan.
  • Incident handlers are floor-level managers who advise the employees conducting the response.
  • Hotline, helpdesk or triage staff answer questions from stakeholders.
  • Artifact analysis staff review the function, architecture and design of software.
  • Platform specialists monitor and analyse the functionality of platforms and applications.
  • Trainers teach employees how to carry out the necessary steps in the CIR plan.

How to assemble the team

Organisations can create their team in one of three ways:

  1. Internally resourced: The organisation assigns roles to its employees and conducts all incident response activities itself.
  2. Partially outsourced: The organisation hires a third party to oversee certain elements of its incident response activities, and its employees cover all other aspects of the plan.
  3. Fully outsourced: The organisation subcontracts all elements of its incident response activities. A single third party might manage every aspect, or the organisation could appoint different specialists for each task.

How to get started

Most organisations would prefer to internally resource or partially outsource their CIR, because they are the least expensive options. However, this is only a possibility [SM1] if employees have a solid understanding of CIR.

That’s rarely the case, but fortunately the framework isn’t too hard to grasp. Unlike many other cyber security best practices, CIR is based on a handful of principles that mostly require organisational skills. If you have a CIR expert in your organisation, they should be able to teach team members what they need to know.


Incident Response Management Foundation Training Course

Find out how to effectively manage and respond to a disruptive incident (such as a data breach or cyber attack) and take appropriate steps to limit the damage to your business, reputation and brand. This course will provide an introduction to developing an incident response programme according to the requirements of the GDPR and NIS Directive.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.