Maturing IR Capabilities into an Incident Management Program – Part 2 of 3

By Jenn Black, Jeff Wichman, Case Barnes, Erik Schmidt, Curtis Fechner ·

The capability to respond effectively to cyber incidents is one of the most critical components of an enterprise security program. However, many companies still lack a solid incident response program (IRP) entirely or don’t take incident response planning seriously enough.

In part one of this blog series, we surveyed where to start with incident response planning, covering some supporting components of incident response and security incident management programs. In this next section, we have tapped our incident response consultants’ expertise and asked them to tell us – from the trenches: What makes a good IR plan? And what IR planning mistakes have they seen, and worked with Optiv clients to remedy?


How do you formulate a good incident response plan?

Start with identifying important pieces of your current environment. Develop a clear and ongoing understanding of the company’s critical/sensitive business information, assets, applications and technology infrastructure (whether managed internally or by third parties) that is required by law, regulation, financial and fiduciary responsibility, and customer/employee privacy requirements to be maintained, operated, stored, handled, transmitted and disposed of in a prescribed manner.

Understand legislation and regulations for the reporting of intentional or accidental disclosure of critical/sensitive information (PCI, PHI, PII). Know where the company’s critical and sensitive information is stored, whether internally or by contracted third parties.

Engage representatives of business areas mentioned below, meet on a regular basis and establish clear and unambiguous roles and responsibilities. Assign and empower an owner with the necessary business and technical savvy and acumen to lead IR planning. Align the IRP to internationally accepted and recognized best practices (ISO, CERT, NIST), establish a common vernacular and leverage common processes (communication, classification, action plans) across the enterprise to ensure program consistency, transparency and defensibility.

Who needs to be part of an IR plan? What processes need to be included?

A clear IRP owner who will administer and operate the program should be identified. He/she should assemble a team of decision-makers authorized and empowered by the company’s executive management team from information security/risk, legal counsel, compliance, public relations, human resources, information technology and contracted/certified third parties who will assist with response, evidence collection, preservation and forensic activities.

All employees and applicable third parties must understand their roles and responsibilities (via acceptabel use policies) to recognize and report suspected security program weaknesses and potential incidents.
What the organization classifies as an incident should be included and it also should include a severity scale based on the organization and their industry. Additionally, making sure that an after-action report or continuous improvement framework is in place for post-incident is critical and allows an organization to improve their security posture based on an actual incident.

What mistakes do firms make with their IR plans?

The biggest problem facing most enterprises is the “big picture” view of the incident response program. The IRP needs to empower the IR team and security organization with adequate authority to effectively do the job. Buy-in at the executive level is required, to make the IR plan a component of corporate policy and help ensure cooperation from the rest of the business.

When we look more tactically at the execution of IR plans, the biggest mistakes we see security organizations or CERT teams make have included varying degrees of some of the following issues: 

  • Not understanding their legal, regulatory, financial and customer/employee information responsibilities 
  • Not understanding where this information is stored, either internally or externally
  • Not establishing clear channels and responsibilities for internal and external communications
  • Viewing IR activities as a stand-alone project, not an ongoing and iteratively improving program
  • Trying to reinvent the wheel vs. following accepted and recognized IR practices
  • Not testing the IR plan as a whole at regular intervals

What’s next?

In part three of our blog post series, we will discuss required capabilities of a mature IRP, and why the best companies are looking to grow their IR capabilities into a comprehensive security incident management program.


Jenn Black

Senior Research Principal for the Solutions R&D

Jennifer Black is a seasoned global security program manager with more than 15 years of industry experience. Currently, Black serves as a senior research principal for solutions research and development with Optiv. In this role, she conducts primary and secondary research with the goal of creating security programmatic guidance that provides insight and direction to security leaders.


Jeff Wichman

Managing Security Consultant, Enterprise Incident Management

Jeff Wichman is a managing security consultant in Optiv’s enterprise incident management practice. Jeff’s role is to provide leadership to the enterprise incident management security consultants, technical expertise in digital forensics and incident response programs and processes, and mentoring the Optiv enterprise incident management team.

Case Barnes

Practice Manager, Enterprise Incident Management and Response

Case Barnes is a manager of Optiv’s enterprise incident management practice where he provides clients tactical solutions to mitigate the consequences of executing malicious code and the actions of internal and external threat actors.

Erik Schmidt

Practice Manager, Enterprise Incident Management

Erik Schmidt is a practice manager in Optiv’s enterprise incident management (EIM) team. Erik’s role is help clients with management of security incidents within enterprise environments, and assist in the development and testing of incident response programs and process.


Curtis Fechner

Senior Incident Management/IR Consultant

Curtis Fechner is a senior security consultant in Optiv’s enterprise incident management practice. Curtis’ role is to assist Optiv’s clients in containing and investigating information security incidents, through forensic investigation and malware analysis. Curtis also assists Optiv clients in proactively evaluating their existing incident response and incident management practices and programs, to with a focus on helping organizations enhance the overall maturity of their programs and improve general security posture.