Building a security incident response team¶

A SIRT does not come into existence because someone decided the organisation should have one. It comes into existence when the organisation genuinely understands what incidents cost without one, and when the people responsible for that understanding have the authority and will to build it. That is a ChangeShop problem, and it is the first problem to solve, before any conversation about roles, tooling, or structure.

The ChangeShop lens matters here because organisations are homeostatic systems. They have reached their current state through accumulated decisions, and they resist changes that disrupt that state, not out of malice but because homeostasis is what organisations do. A SIRT changes how incidents are identified, escalated, communicated about, and learned from. Each of those changes touches existing processes, existing roles, and existing power relationships. Understanding that resistance as information, rather than treating it as obstruction, is what separates a SIRT that gets built from one that gets discussed at three consecutive quarterly reviews.

The PSL framing is equally relevant to how the SIRT itself is assembled. The rational layer covers structure and roles. The emotional layer covers how people feel about being the person who identifies that something went wrong. The political layer covers who has the authority to declare an incident, to communicate it externally, and to require change in response to what post-incident review reveals. Attending to all three is what makes the SIRT functional rather than nominal.