How to build a cyber security incident response team (CSIRT) – IT Governance UK Blog

Who will you call when your organisation has been compromised? Having a cyber incident response team ready to go can save your organisation from disaster.

There’s no escaping the threat of cyber security incidents. Criminals are constantly poised to exploit vulnerabilities, and employees use complex IT systems where mistakes are bound to happen.

Investing in cyber defences can reduce those risks, but organisations need to be ready for threats they can’t prevent. A CIR (cyber incident response) plan does just that, outlining strategies for identifying and responding to security breaches.

An effective plan can quickly stop disruption from turning into a disaster. Of course, the plan itself is only half the equation; you also need a team to carry it out. In this blog, we explain the essential cyber incident team roles and how you can fill them.

Who should be on a CIR team?

• A manager coordinates the CIR plan and puts together a team.
• Group leaders oversee specific areas of the response plan.
• Incident handlers are floor-level managers who advise the employees conducting the response.
• Hotline, helpdesk or triage staff answer questions from stakeholders.
• Artifact analysis staff review the function, architecture and design of software.
• Platform specialists monitor and analyse the functionality of platforms and applications.
• Trainers teach employees how to carry out the necessary steps in the CIR plan.

How to assemble the team

There are three ways an organisation can create its team:

1. Internally resourced: The organisation assigns roles to its employees and conducts all incident response activities itself.
2. Partially outsourced: The organisation hires a third party to oversee certain elements of its incident response activities, and lets its own employees cover all other aspects of the plan. For example, it could appoint experts to control the management aspects and use its employees for the technical aspects, or have hotline operators and helpdesk staff on retainer.
3. Fully outsourced: The organisation subcontracts all elements of its incident response activities. A single third party might manage every aspect, or the organisation could appoint different specialists for each task.

What skills and experience are required?

The skills and experience needed by your team will depend on the nature of your business and the complexity of your in-house incident response capabilities.

However, as the NCSC (National Cyber Security Centre) notes, there are some competencies that organisations should look out for when building their team.

The first is your team’s ability to remain aware of cyber security news and trends. If you’re familiar with emerging developments in the way criminals target organisations, you can pre-empt an attack and implement defence and response measures.

Another key experience is to perform trial runs of your incident response measures based on real-world scenarios.

You might do a full-scale trial or look at specific elements of the response. For example, you might focus on the technical elements of your plan, the way management responds or the logistics of a plan among the entire workforce.

Finally, your team should receive training to help them better prepare for a cyber security incident. There are specific courses dedicated to this, such as our Cyber Incident Response Management Foundation Training Course.

This one-day course provides a full introduction to developing a cyber incident response. Our experts will show you how to manage and react to business disruptions, including:

• How to recognise common cyber threats and understand threat actors;
• The components of the cyber kill chain; and
• How to define the structure roles and responsibilities of the cyber incident response team.

A version of this blog was originally published on 26 November 2018.