The First Line of Defense | Crafting an Impactful Incident Response Plan

Cybersecurity incidents are no longer black swan events in today’s world. In recent decades, they have become so common that few organizations are spared from the rippling effects of successful cyberattacks.

Having a strong incident response strategy is a crucial line of defense organizations have against threat actors. Depending on the type of incident and how impactful it is on the targeted organization, there are a large number of moving parts that make up the incident response process.

This blog post describes the essential elements of an effective cyber incident response plan. While there is no one way to build a cyber incident response plan, there are many key elements that security leaders can include to lead their organizations towards cyber preparedness.

The Importance of Having an Incident Response Plan

At its core, the incident response cycle involves detecting and identifying cyber threats followed by mitigation or containment, analysis, and lessons learned. Every cyber incident is different, and each one should be treated as a learning experience for the cyber incident response team.

If cyber incidents are not properly contained, they have the potential to cause significant impacts on the organization. Impacts can linger after the initial attack causing, in severe cases, loss of new business, damage to the organization’s reputation and branding, complex lawsuits, and even bankruptcy.

Treat Cyber Risk As A Strategic Risk

When planning cyber incident response, understanding the ‘why’ behind cybersecurity makes for a stronger foundation upon which leaders can build strategies, policies, and processes. As an example, let’s use Simon Sinek’s Golden Circle to frame out their approach to incident response. Sinek’s model consists of the following three questions in this order: Why? How? What?

  1. Why do we need cybersecurity in the organization? Leaders may answer that they must protect the confidentiality, integrity, and availability of their organization’s information and resources.
  2. How can we do that? Many organizations approach cybersecurity holistically, focusing on people, processes, and technology.
  3. What does that do to business? Senior leadership may tie security to meeting their mission and objectives as it helps them serve their customers and protect their stakeholder’s interests with trust and transparency.

When organizational leaders treat cyber risk as a strategic risk, it sets the tone within the organization to think about security before carrying out any task. In the case of cyber incident response, starting with ‘why’, empowers teams to take a proactive approach to incident response rather than a reactive approach.

Lay Out The Responsibilities of the Incident Response Team

The collective goal of a cybersecurity incident response team is to minimize the disruption and losses by identifying the incident in a timely manner and effectively mitigating the incident as quickly as possible.

Such a team commonly comprises experts from various business units. A collaborative effort is then coordinated to bring an incident to a quick resolution before the organization suffers from financial and reputational losses.

Though incident response teams will look different based on the size, industry, and needs of the business, they are typically responsible for the following key tasks:

  • Establishing Processes, Plans & Procedures – The incident response team takes into consideration the ‘why’ that leaders have defined. Processes are then tailored to meet that ‘why’ and identify clearly what an incident means to the organization. Using this, incident prioritization matrices and playbooks can be created based on likely security scenarios relevant to the business and industry.
  • Upkeeping An Incident Response Inventory – Incident response teams need to be aware of trending cyber threats and keep themselves updated on all critical assets within the organization. The availability of incident analysis resources such as network diagrams, contacts lists, and application inventory is a key success factor for incident response.
  • Incident Analysis – Incident response teams regularly evaluate and monitor for indicators of compromise and perform data collection activities for analysis. During active incidents, the team is responsible for determining if third-party support is needed to contain the threat. A security operations center (SOC) team plays a key role in this arena by identifying the incident indicators and responding to the incident timely. In recent times, organizations are using AI technology in their security stack to reduce mean-time-to-containment and respond to cyber threats effectively.
  • Communications & Reporting – Incident response teams follow predetermined channels for communications during and after a security incident. These channels will have outlined what needs to be reported, when it needs to be reported, and to whom it needs to be reported. As per the defined responsibilities, internal and external communications can be handled by the incident response team with direction from legal and PR teams. Notifying the appropriate cyber insurance providers, third party incident support, legal, and regulatory authorities as required can save organizations from liabilities and financial burdens.

Depending on the organization’s size, maturity, and industry, some roles within an incident response team can be overlapped. This is why defining responsibilities for each of the roles within the incident response plan is crucial to its success.

Determine Involvement From Internal & External Parties

A common misconception is that incident response is limited to IT and security teams, and no other parties are actively involved in dealing with a cyber incident. For a strong and cohesive incident response effort, incident response teams work best by knowing when to involve key contacts from other departments to carry out the plan.

Internal Dependencies

Incident response is a shared responsibility and champions from each department will need to be informed and trained in how best to support the incident response team during an active security event.

Internal dependencies refer to communications between the incident response team and representatives from IT, Physical Security, Legal, Risk Management, Human Resources, Public & Media Relations, Board of Advisors, and any other applicable head of department.

External Dependencies

External dependencies involve non-employees and non-owners of the company. This group refers to customers, vendors, third-party incident response partners, cyber insurance providers, legal representation, regulatory agencies, and law enforcement. The messaging to customers and vendors must be carefully directed by the Public & Media Relations team in consultation with the Legal team to ensure an approved and unified message is delivered across the board.

Involving cyber insurance providers and any third-party response partners is key from a financial perspective and from a response perspective. Often, incident response team members, including defined point of contacts, are responsible for notifying the proper regulatory bodies and law enforcement as legally required to avoid fines.

Define The Scope for Future Improvement

While it is important to document processes and policies before cyberattacks occur, incident response teams are also integral in improving them in the case of an incident. The team ensures that senior leadership makes time to evaluate lessons learned after incidents and close the loop on any identified gaps and remediation tasks.

By holding lessons learned sessions, incident response teams can help leaders evaluate performance effectiveness, identify systemic challenges, and improve capabilities going forward. This is an invaluable element in improving an organization’s security posture over time that is often overlooked. Defining the scope for future improvement looks like:

  • Post Incident Activities – It is important to understand what worked and what did not during the incident response process. Any suggestions to streamline the process or plan can help improve the overall incident response plan for future, similar events. Keeping a log of the incidents may also prove valuable to organizations to approach response in a more structured and streamlined manner as it creates a measurable benchmark teams can reference again.
  • Actionable Metrics – Defining metrics around incident categories allows organizations to take a look at their risk assessment process, which can help senior leaders iterate required controls and mitigation measures. Tracking similar types of incidents and understanding if the time per incident has decreased are strong indicators that prove the current incident response is working.
  • Updated Training & New Exercises – Carrying cross-functional periodic training and tabletop exercises can help the teams to prepare better and aid in identifying the gaps. Most importantly, it allows teams to understand how they need to communicate with each other and collaborate during the incident.


Successful incident response requires collaboration across an organization’s internal and external parties. As cyber incident response teams work on reducing the time-to-containment, it is essential for organizations to think about incident response holistically. A top-down approach where senior leadership encourages a culture of strong security encourages every department to do their part to support in case of an incident.

Security leaders from all industry verticals have partnered with SentinelOne to augment their security vision and safeguard their company’s critical data. As incident response teams and leaders work together to build security resilience and implement long-term initiatives, SentinelOne’s industry experts are on hand to assist organizations as they stand up their new strategies. Contact us for more information, or sign up for a demo today.