The Right Stuff: Building an Effective Cybersecurity Incident Response Team

I. A Multi-disciplinary Team-based Approach to Incident Response

A well thought-out and practical incident response plan is a key component of any comprehensive information security program. But, organizations often make the mistake of categorizing the incident response plan as an “IT issue” or a “legal issue.” A cybersecurity incident that results in a breach is an “issue” that affects several parts of the organization. Thus, the plan to respond to an incident should involve several parts of the organization.

For those of you who are not sports fans, please indulge me for a moment. An incident response plan involving only one department of an organization is like a basketball team where every member plays the same position. Like a team full of centers, the resulting plan may be so focused on defense and blocking that proactive steps such as early contact with law enforcement may be seen as too “risky” to include. As lawyers, we can often be so focused on the legal ramifications that we miss some of the practical business considerations of incident response. For example, as lawyers, we may want public communications to state the bare minimum regarding a breach; only what is legally required. But, making a minimalist statement may result in a public relations backlash for failing to disclose critical information in a timely manner. We need the other positions on the team to put our advice in context and achieve a “winning” result. An effective incident response plan is both a product and a tool of a multi-disciplinary incident response team (“IRT”).

Like building a successful sports team, crafting an effective IRT includes (1) identifying the necessary internal and external IRT members, (2) considering the strengths and weaknesses of each position, assigning roles and responsibilities accordingly, and (3) training the team members through practice to work together toward a common goal. Several publications can provide the basis for an adequate incident response plan. See, e.g., National Institute for Standards and Technology (NIST) Special Publication 800-61 or the International Standard Organizations (ISO)/International Electrotechnical Commission (IEC) 27035. Instead of focusing on the content of the plan, which is covered by those publications, this article will focus on assembling a team to (A) craft the incident response plan that will be most effective for the organization and (B) execute that plan in the event of a cybersecurity incident.

II. Identifying the Necessary Team Members and Their Strengths and Weaknesses

An effective IRT often includes the following members:

A. Information Technology

Internal IT Department

The IT department of an organization is probably the most frequently thought of team member when it comes to responding to cybersecurity incidents. In many ways, the IT department (or security department embedded within the IT department) is the base of the pyramid in incident response planning. It will likely have the largest number of IRT members and will be relied upon for information on which other team members will act. The IT department will likely serve as the primary point of contact for many of the external IRT members. For example, the IT department will coordinate with the technical forensics consultant to determine the operational impact of a cybersecurity breach and remediate the effects. The IT department may also provide outside counsel or a consultant with the names of individuals that the breach may have affected for purposes of compliance with breach notification laws.