Skip to main content

Maturing IR Capabilities into an Incident Management Program – Part 1 of 3

March 24, 2017

We’ve all heard that it’s not a matter of “if,” but “when.” This statement, while becoming its own stale mantra of sorts, is still the impetus for the necessary and dramatic shift taking place across enterprise-level cyber security program strategy.

Incident response has become one of the most critical aspects of any overall security strategy, but a solid incident response program (IRP) is something many organizations – both large and small – either lack entirely or don’t take seriously enough.

What makes a good IR plan? Maybe more importantly, what makes a bad one? What IR planning mistakes have Optiv experts helped organizations overcome?

In this three part blog series, we aim to answer these questions and more.

Maturing IR

Incident response capabilities, where do we begin?

As a foundation, there are some critical security program components that need to be identified before an organization can build a response plan or in-house capability. Three key supporting components are:     

  • ITIL fundamentals (asset management, change management, configuration management, patch management) 
  • An existing enterprise risk management (ERM) program or, at minimum, the ability to identify, classify, and prioritize risks and data owned and managed by the enterprise
  • Standard prevention technologies (firewalls, antivirus, etc.)

What needs to be part of an IR plan?

Good incident response plans incorporate a full complement of stakeholders across the enterprise. An IR playbook is required for the technical response tactics, forensics, chain of custody for evidence, etc. However, a full response plan incorporates legal, enterprise risk stakeholders, business line owners and marketing/communications.

Formulating the plan requires a programmatic approach and must take into account a company’s most critical assets and business processes. From there, determining business line stakeholders or involving key people who have the most insight into the critical assets and business processes, as well as the actual security incident response owners, legal and ERM provides an enterprise-wide view of what constitutes a full response plan.

Incident prioritization must take into account varying enterprise stakeholder perspectives. Key response and recovery procedures must include designated points of contact within each stakeholder group. Good IR plans include procedures and points of contact within each phase of an incident: preparation, detection, analysis, recovery and post-incident. 

Why do so few companies have an IR plan?

Traditionally, companies either assume information technology and/or information security/risk own IR planning, which is not always the case. Unfortunately, IR planning is too often “event-driven” and doesn’t receive the proactive recognition or attention it requires. Unrehearsed and unstructured incident “reaction” typically results in miscommunication, mishandling of evidence and, ultimately, a very expensive and embarrassing lesson. 

IR planning is too often viewed as a project, instead of an ongoing program. It is viewed as a “necessary evil” instead of adding value to the company. The plan has to be a living document which is constantly tested, reviewed and updated to account for lessons learned and changing industry conditions or environment upgrades/installs.

What’s next?

In part two of our blog post series, we will move to the more tactical and specific aspects of IR planning – what mistakes Optiv’s expert IR consultants consistently find that companies make in creating their IR plans, and learn from their mistakes to institute a solid plan.

    Jenn Black

By: Jenn Black

Senior Research Principal for the Solutions R&D

See More

Related Blogs

April 12, 2017

Maturing IR Capabilities into an Incident Management Program – Part 2 of 3

The capability to respond effectively to cyber incidents is one of the most critical components of an enterprise security program. However, many compa...

See Details

April 21, 2017

Maturing IR Capabilities into an Incident Management Program – Part 3 of 3

Incident response has become one of the most critical aspects of any overall security strategy, but a solid incident response program (IRP) is somethi...

See Details

October 03, 2018

Do You Know Where Your Evidence Is?

In part three of our series focused on the Enemy Perspective, we’ll focus on an important element of incident response: digital forensics investigatio...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Incident

June 14, 2017

Incident Management Plan Development

We have the experience and knowledge required to help your organization develop a strong incident management plan.

See Details

June 10, 2016

Enterprise Risk and Compliance

Optiv’s enterprise risk and compliance services help you identify, mitigate and manage your organization’s cyber security risk.

See Details

October 11, 2017

Security Solutions

Optiv is a market-leading provider of end-to-end cyber security solutions. View our services here.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.