The evolving role of security and IT in DR and incident response

CIOs have a long history of managing incidents and disasters through established IT practices, guided by frameworks such as ITIL for incident management and disaster recovery. However, as ecommerce has proliferated, security threats have increased, elevating cybersecurity to a board-level concern. Early cybersecurity threats were limited in their scope and damage, but current threats can ruin a business. Threats have evolved from malware and denial-of-service attacks in the early days of ecommerce bad actors, to ransomware attacks that threaten the ability of a business to operate. According to an IDC Survey, “Ransomware attackers are getting more effective at finding valuable data; half of North American ransomware attacks where data was exfiltrated included the loss of valuable, sensitive, or security data (Future Enterprise Resiliency and Spending Survey, Wave 11, IDC 2023). Worldwide responses show that attackers are increasingly able to extract more sensitive data.” In another, “Over half of organizations report cybersecurity posture to the board of directors at least quarterly.” (IDC Worldwide CEO Survey, February 2024).

Given such a heightened threat, tools, technologies, and IT organizations have evolved accordingly. For critical infrastructure, regulatory requirements and standards have also evolved accordingly. This has resulted in some overlaps between security standards and frameworks and IT, which, if not managed effectively, can ruin the company’s ability to respond.

The convergence of IT and IT security standards for responding to operational and security threats

The convergence of IT frameworks such as ITIL and evolving security standards requires a cohesive approach to managing IT services and cybersecurity threats. ITIL’s focus on structured IT service management — covering incident, problem, change, and service continuity management — naturally overlaps with security frameworks like NIST and ISO/IEC 27001, which emphasize identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents.

Before the rise of the security operations center, the IT command center coordinated with operations teams to respond to all incidents, engaging the typically small security team within IT. Modern SOCs are equipped with advanced tools and technologies such as security information and event management (SIEM) systems, threat intelligence platforms, and automated response solutions. These enhancements enable the SOC to proactively monitor, detect, and respond to security incidents in real time. Despite these advancements, when an incident is reported, it is often unclear whether it is a security event or not. Further, the IT command center’s central data collection may differ in alerts. When an incident occurs, both the IT command center and the SOC are alerted. The cause may be configuration issues, a data exfiltration attempt, a ransomware attack, a false alert, or something else. Both the command center and SOC are ready to respond. This ambiguity demands a coordinated and efficient response to minimize potential damage.

Collaboration between IT and security operations

The chief information security officer (CISO) and the SOC are at the forefront of preventing and responding to security incidents. Quick and effective response is crucial, but equally important is the collaboration between IT operations and security operations. This partnership is essential to determine if an incident is security-related, restore services swiftly, and mitigate any security exposures.

Depending on the organization, the CISO may report to the CIO, the risk management organization, or in some cases to the CEO or CFO. Collaboration is simpler when the CISO and security organization reports to the CIO, but this is not a guarantee for strong collaboration. Regardless of the organization, by combining IT service management with robust cybersecurity practices, organizations can ensure efficient, comprehensive incident management.

To ensure a quick diagnosis and response without the two teams getting in each other’s way, the CIO and CISO can implement the following strategies.

Define clear roles and responsibilities

Clearly defining roles and responsibilities for the SOC, IT operations, and DevOps teams ensures that each team knows its duties during an incident, reducing overlap and confusion. Developing and regularly updating incident response plans that outline the specific steps each team should take when an incident occurs, including escalation protocols and communication channels, helps streamline the response process. Ensure the SOC shares freely with the command center.

Conduct regular incident response exercises

Regular incident response exercises, such as tabletop simulations and live drills, are essential to test and refine response procedures. After each exercise or real incident, a thorough post-mortem analysis should be conducted to evaluate the response and make necessary adjustments to processes and plans.

Implement integrated communication platforms

Implementing integrated communication platforms that allow seamless information sharing among the SOC, IT operations, and DevOps teams is crucial. Tools such as incident management software and collaborative platforms facilitate real-time communication and coordination. Ensure that all relevant information about the incident, including logs, alerts, and diagnostics, is shared promptly and transparently among teams, to quickly identify the nature of the incident and decide on the appropriate response.

Leverage automation

Leveraging automation to handle routine tasks and the initial triage of incidents can significantly enhance response efficiency. Automated tools can quickly analyze alerts, correlate events, and identify patterns, allowing human analysts to focus on more complex and critical tasks. Security orchestration tools can coordinate actions between teams and systems automatically.

Establish joint response teams

Fostering collaboration through joint response teams and regular meetings of the SOC, IT operations, and DevOps teams ensures a unified and coordinated approach to major incidents. Joint response teams can work together during major incidents to ensure a unified response. Regular meetings to discuss potential threats, share insights, and review recent incidents build trust and improve the overall incident response capability.

In many organizations, there is often an overlap between the tools used by IT operations and security operations. For example, SIEM systems used by the SOC might collect similar data to what is monitored by IT operations tools. To address this overlap, it’s essential to establish clear protocols for tool usage and data sharing. By ensuring that there is a single source of truth, organizations can reduce redundancy, improve data accuracy, and enhance overall efficiency.

International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more.

Learn more about IDC’s research for technology leaders.

Gerald Johnston, an adjunct research advisor with IDC’s IT Executive Programs (IEP), founded GJ Technology Consulting, LLC, where he assisted global financial institutions and helped launch a UK startup bank. Johnston is an experienced financial services and consulting executive who excels at collaborating across teams to deliver results. Prior to his current role, Johnston led technology delivery for Wells Fargo’s Information Cyber Security, Technology, and Corporate Properties groups, where he and his team modernized the company’s Cyber Threat Fusion Center on behalf of the cybersecurity team. He was selected as a Wells Fargo Global Fellow, whereby he helped a Philippine Micro Finance Bank and its clients in conjunction with Bankers Without Borders.  He is the former CTO of shared services for Wachovia, leading technology for Core Banking, Bank Operations, Finance, Risk, Legal and Marketing business units.