Set up an incident response team (SIRT)¶
Some things in incident response can be automated. Many cannot. And some require not just people, but the right people — with the authority, skills, and temperament to keep their heads while everything else is on fire.
Your SIRT should have clearly defined roles and responsibilities, written down and communicated long before the first breach alert comes in. Typical examples include:
Business unit managers – especially from Legal and HR – to drive and coordinate team activities, keep focus on minimising damage, and ensure the organisation recovers quickly.
Technical lead – with strong executive backing and cross‑departmental access – to collect and analyse evidence, determine root cause, direct other security analysts, and oversee rapid system and service restoration.
Specialists – stress‑tolerant experts in areas such as network intrusion detection, malware analysis, or forensics.
Legal counsel – to provide guidance on compliance, liability, and any mandatory reporting.
Communications lead – to manage internal and external messaging, ensuring accuracy and consistency under pressure.
Documentation lead – to record all investigation, discovery, and recovery activities, producing reliable timelines for every stage of the incident.
These are only examples. Your context may require more or fewer roles, but clarity is non‑negotiable. The team must know who does what before the crisis hits.
While your active SIRT members may not be senior executives, it is wise to involve executives in recruitment and in organisation‑wide communications about the team.
A SIRT can also operate as part of a larger security operations team.
External partnerships: CSIRT.global¶
CSIRT.global is a volunteer‑led, non‑profit foundation registered in the Netherlands, with a mission to make the internet safer by finding and reporting vulnerabilities that others often overlook. It works internationally, in close cooperation with trusted CSIRTs, CERTs, infrastructure operators, and the wider security community.
What CSIRT.global does:
Identifies and verifies vulnerabilities in systems, services, and devices.
Notifies affected organisations and vendors, working to ensure vulnerabilities are fixed.
Handles responsible disclosure, especially for large‑scale or internet‑wide issues.
Shares findings with trusted partners to improve collective security.
Where it operates:
Globally, with volunteer members and partner organisations across sectors and countries.
What it can do for your organisation:
Assist in identifying vulnerabilities you may not have the resources to find yourself.
Provide verified, responsibly disclosed reports to help you address issues quickly.
Connect you to a trusted network of responders for coordinated remediation.
CSIRT.global is not an incident management contractor — they will not take over your breach investigation or run your SIRT — but they can be a valuable ally in the prevention side of security, especially for vulnerabilities that could otherwise go unnoticed.
SIRT vs. CSIRT.global: who does what?¶
Task or Responsibility |
Your Internal SIRT |
CSIRT.global |
|---|---|---|
Investigating active incidents (breaches, ransomware, intrusions) |
✅ Yes – core function |
❌ No |
Coordinating incident response across departments |
✅ Yes |
❌ No |
Legal, communications, and documentation during an incident |
✅ Yes |
❌ No |
Identifying vulnerabilities in your systems |
✅ Sometimes (if trained) |
✅ Yes – focus area |
Large‑scale or internet‑wide vulnerability scanning |
❌ Not usually |
✅ Yes |
Responsible vulnerability disclosure to vendors/affected parties |
❌ Not always |
✅ Yes |
Sharing threat and vulnerability intel with trusted networks |
✅ Sometimes |
✅ Yes |
Acting as a breach “first responder” |
✅ Yes |
❌ No |
Long‑term preventative security collaboration |
✅ Yes |
✅ Yes |