Set up an incident response team (SIRT)

There are some things that only people, and in some cases, only certain people, can do. Some things just can not be automated.

  • A manager from each major business unit, especially when it comes to Legal and HR, to drive and coordinate all incident response team activity, and keep the team focused on minimizing damage, and recovering quickly.

  • A tech lead with strong executive support and interdepartmental participation, to collect and analyse all evidence, determine root cause, direct the other security analysts, and implement rapid system and service recovery.

  • Stress tolerant team members specialised in network intrusion detection, malware analysis or forensics.

  • A legal expert to have legal guidance and participation.

  • A communications expert to lead the effort on messaging and communications for all audiences, inside and outside the company.

  • A documentation expert to document all team activities, especially investigation, discovery and recovery tasks, and develop reliable timelines for each stage of the incident.

These are just example roles and responsibilities. Make sure that whatever they are in your context, you document the roles and clearly communicate them, so that the team is well coordinated and knows what is expected of them, before a crisis happens.

While the active management members of the team will likely not be senior executives, ask executives to participate in major recruitment and communications efforts. A SIRT can be a part of a security operations team.