Incident Response

Incident response at organizations can run from cool to chaotic

Cyber ​​security concept.

Nearly three-quarters (73%) of survey respondents say their organization has an incident response playbook to guide decision-making during a cybersecurity incident. However, that figure jumps to 90% if an enterprise has more than 10,000 employees compared with 60% of small businesses with fewer than 100 people on staff.

The “people problem” is just one of the insights from the CyberRisk Alliance Business Intelligence survey of 205 security and IT leaders conducted across North America. About 49% of respondents rated their organizations’ readiness to respond and recover from an incident as high, and about 50% gave a moderate to low rating on readiness. 

While just over two-thirds of respondents (67%) have a dedicated incident response team, a cybersecurity incident is nonetheless a stressful time for any organization. 

One IT director at a high-tech company described an incident as “chaotic, frenzied — we're all hands on deck, working 24/7,” while a network services engineer at a different organization said the staff was “overworked, stressed, and pushed to their limits.”

Those responses aren’t too surprising as 49% of respondents said the top challenge for their organization was a shortage in qualified IT and security staff, followed by limited budgets at 46%.

But all is not lost, as other respondents in the security field said they felt supported in their missions and their organizations had realistic expectations about a potential security breach.

Here are four key takeaways from the report, “Controlling the chaos: The key to effective incident response.”

  • Incident response efforts tend to prioritize plans over people: 73% of respondents say their employer has a playbook to guide IR actions, but only 63% have a team structure dedicated to IR. However, organizations that do have a team report higher IR readiness overall compared to any other metric we looked at, including that of an IR playbook or strategy.
  • People are the most important assets — and top challenge areas — for IR: There simply aren't enough qualified IT and security personnel to staff IR operations, say respondents. Thus, existing responders are stretched thin and prone to burnout. Just over one-third strongly agree that their IR teams are not given sufficient resources to do the job, nor enough time to study and learn from past incidents.
  • Problem-solving and team skills are considered just as critical as technical skills: 68% of respondents rank problem-solving as the most or second-most important people skill for incident response. Team skills and oral communication are also must-haves, considered just as important as technical skills like incident analysis and knowledge of tactics, techniques, and procedures (TTPs).
  • High morale is most common among orgs with established IR teams that adopt a learner mentality: Nearly all respondents say their employer has suffered a security incident, but confident IR practitioners say they’ve provided structure and support for their teams to continually improve and iterate on the IR formula. As one respondent says, “We review response strategy right after an incident has been addressed, and we look for things that could be improved and highlight what worked well.”

Tabletop exercises were used by 55% of respondents as a way to verify or measure incident response readiness, followed by third-party assessment (50%), drills (39%), and performance reviews (38%), among other methods.

Respondents valued problem-solving as the No. 1 “people skill” for incident response at 48%, followed by team skills (46%), oral communication (25%), time management (23%), among the top four skills.

Click here to read the full report, called “Controlling the chaos: The key to effective incident response.”

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.