How to Improve Your Incident Response Plans and Team

How to Improve Your Incident Response Plans and Team

Incident response must become part of every enterprise’s cybersecurity efforts. Yet most either let their incident response languish or neglect it entirely. 

The longer you neglect your incident response, the more likely hackers penetrate your network and cause untold damage. Hackers, after all, love targeting low-hanging fruit and few targets prove more low-hanging than unprepared businesses. Without an incident response plan, your enterprise may end up scrambling during an incident response and exacerbating the problem. 

Therefore, you need to improve your incident response plan. Here’s how you can start. 

How to Improve Your Incident Response Plans and Team

1. Aim For 24/7 Preparedness

It’s no secret: hacking now constitutes a global enterprise. That means it follows global business hours, i.e. 24 hours a day, 7 days a week. 

Even if you serve a global enterprise yourself, ensuring constant cybersecurity and incident response surveillance proves easier said than done. Even automated solutions like SIEM require human intelligence to help them determine false positives from legitimate alerts. 

Unfortunately, human intelligence remains bound to physical humans, who need to sleep and have a reasonable work-life balance (more on that in a bit). 

Yet to improve your incident response, you need to aim for as close to 24/7 preparedness as possible. This can mean having a night shift of threat hunters and incident response team members. If you serve a global enterprise with the resources to employ such a team, this may not prove far-fetched. 

However, if you work for a smaller business, solution providers still offer ways to help you improve your incident response. If you struggle to fill your cybersecurity staff roles, you can seek out a managed security services provider (MSSP). These can handle your cybersecurity—including SIEM and incident response—for you, including interacting with employees during an incident. 

For businesses with a limited but staffed cybersecurity team, you can also employ the MSSP to take over the hours when the team can’t work. Thus your business can enjoy a stronger incident response plan without risking burnout.

SMBs aren’t the only ones who can enjoy these perks; enterprises can absolutely take advantage of them

However, speaking of cybersecurity staffing crisis…

2. Seek Out Volunteers or Virtual Members

We’ve heard the reports: millions of cybersecurity jobs look to go unfilled over the next few years; meanwhile, increased burnout rates among members of the cybersecurity community results in lower retention rates. There doesn’t seem to be an end to the portents of doom and gloom. 

All of which means your enterprise’s incident response team, without help, could easily suffer in the short and long term. While your entire enterprise should become involved in your incident response plan (we go into more detail about that below) you need cybersecurity experts to handle the most technical parts of mitigation and removal. 

So having an in-house cybersecurity team for incident response remains the ideal. However, you can improve your incident response by expanding your IT workforce beyond the merely physical. 

AT&T Cybersecurity suggests you supplement your in-house team with virtual or volunteer members. In many ways, this resembles volunteer fire departments. For example, you can contact and coordinate these members through your IT Help Desk. Simultaneously, your Help Desk can handle the initial investigations and data gathering. 

Also, don’t rule out the power of automation via a SIEM solution. It can help bridge a lot of gaps caused by overworked or understaffed incident response teams. 

So far, these suggestions to improve your incident response have focused on the humans performing your incident response. Your enterprise should remember this reliance on the human in the digital world, especially in light of the next suggestion…

3. Keep Team Morale High

Burnout rates and the cybersecurity staffing crisis overall persist because of the incredible stress within cybersecurity. After all, a job in cybersecurity often requires constantly being on-call, fielding requests, and queries from other employees at nearly all hours, and investigating alerts both false and legitimate. That doesn’t even get into the stress of a security event or incident. Just thinking about it can provoke anxiety.

Of course, not every cybersecurity staff member suffers from burnout; some relish that environment. However, enough do for it to present a legitimate problem. Burnout can lead to a lack of focus and motivation, neither of which proves conducive to incident response or investigation. 

To improve your incident response overall, you need to take care of these vital members of your enterprise’s IT department. Here are a few suggestions on how to begin:

  • Encourage a sustainable and consistent work-life balance. If a team member needs time off, do not ask them to work from home during that time. Ensure you have any and all relevant information to handle any issues related to their position during their absence to ensure they remain undisturbed. Don’t just encourage work-life balance, make policies that facilitate it. 
  • Only mandate reasonable hours for employees. If you need employees to work unusual or demanding hours, you may want to consider stepping outside the typical 9 to 5 workday schedule. Moreover, if you need someone to be on call, make sure you compensate them fairly (including overtime or more days off). 
  • Additionally, make sure your team receives fair compensation generally, including good benefits. 
  • Encourage healthy workplace habits, such as regular breaks. 

4. Keep Everyone Informed Of Your Incident Response Plan

Here’s a trick question: who in your enterprise is responsible for your overall cybersecurity hygiene and practices? 

Of course, the question is “everyone.” 

Every employee, IT member, and C-suite executive contributes to your overall cybersecurity and thus your incident response effectiveness. Your C-suite and cybersecurity team should spearhead your efforts, without question. However, if you truly wish to improve your incident response, you need to involve your enterprise in its entirety.

Thankfully, your enterprise can do this in a number of ways! 

First, you can make cybersecurity training a regular occurrence for your employees. These training sessions don’t have to drag on—in fact, shorter sessions occurring more frequently improve retention long-term; instead, they need to present critical threat intelligence in a digestible manner. 

Additionally, these training sessions must demonstrate proper best practices for recognizing threats and avoiding them as well as how to alert the incident response team in the event of a digital attack or phishing. This can happen even to the most conscientious employee. 

Moreover, you can enforce these training sessions in employee reviews or through rewards programs. While punishing employees for human error shouldn’t become a policy, you should make sure deliberate neglect of cybersecurity does result in consequences. On the other hand, rewards programs can encourage employees in a much more collaborative and constructive manner. 

Finally, the best way to improve your incident response efforts is to inform your employees about the incident response plan. Don’t just keep it in a binder in your Security Operations Center. Run drills with your employees, see if there are any inefficiencies, and highlight principle points of contact during a security incident. Above all, keep everyone up-to-date. 

5. Have A Solid Chain of Command and Communication

This means both an internal chain of command and communication and an enterprise-wide one in the event of a security incident. To improve your incident response, you need an IT team that knows their roles and has the capacity to carry those roles out. These include (but are certainly not limited to): 

  • Team Leader.
  • Lead Investigator.
  • Communications Lead.
  • Documentation and Timeline Lead.
  • HR and Legal Representation.
  • Threat Hunter.

Your team may have more of some positions than others. Additionally, in the event of a breach, your non-IT departments may need to become involved, such as public relations, legal, and financial. They should know how to respond in the event of a breach and who they must inform of a security incident. 

In fact, your incident response plan should also outline who in which department gets informed when and by whom. Your plan should have considerable details to ensure you handle any attack in an efficient and comprehensive manner. 

If you would like to learn more about how to improve your incident response plans with SIEM, check out our SIEM Buyer’s Guide and Vendor Map!

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner