SIRT roles: who does what?

Even small SIRTs benefit from clearly defined roles. Clear responsibilities reduce confusion during incidents and ensure critical actions are never missed.

Essential roles

  1. Incident lead:

    • Oversees the entire response process.

    • Makes strategic decisions and escalates to leadership when needed.

    • Keeps the team focused under pressure.

  2. Technical lead:

    • Investigates technical aspects, from malware to system compromise.

    • Coordinates forensic evidence collection.

    • Works closely with monitoring and SOC teams if they exist.

  3. Communications lead:

    • Manages internal messaging to staff and leadership.

    • Prepares external communications if necessary (customers, regulators, press).

    • Keeps messaging consistent, accurate, and timely.

  4. Documentation lead:

    • Records all incident actions, timelines, and decisions.

    • Produces post-incident reports for learning and compliance purposes.

  5. Business representatives:

    • Legal, HR, and management ensure operational decisions align with organisational priorities.

    • Provide context on business-critical systems and potential impact.

Tips

  • These are only examples. Your context may require more or fewer roles. Roles can be combined if the team is very small, but clarity is essential.

  • While your active SIRT members may not be senior executives, it is wise to involve executives in recruitment and in organisation‑wide communications about the team.

  • Avoid assigning responsibilities on the fly during an incident—it increases mistakes and delays.

  • Use visual charts or simple tables to make roles and responsibilities immediately clear.

  • A SIRT can also operate as part of a larger security operations team.

Clarify your SIRT roles with us