10 Common Flaws in Incident Response Plans: Flaw #2 – Roles & Responsibilities

Alex Waintraub, with Frank Angiolelli
This blog series by Alex Waintraub, mirrors the SafeHouse Podcast about the 10 Common Flaws in Incident Response Plans.

Alex Waintraub and special guest, Frank Angiolelli, Founder and Managing Director of mSOC, author and cybersecurity expert, explore the second common flaw in Incident Response Plans, that of not defining roles & responsibilities for a cyber event.  Read our blog about the importance of assigning roles & responsibilities ahead of time as part of your planning, and the considerations in those assignments.  Listen to the podcast here: https://safehouseinitiative.org/10-common-flaws-in-incident-response-plans-flaw-2-undefined-roles-amp-responsibilities/

 

The Importance of Clearly Assigned Roles

A well-crafted incident response plan is the difference between a swift, coordinated recovery and a chaotic scramble. At the heart of this plan lies the critical task of defining roles and responsibilities. As Frank Angiolelli, the Founder and Managing Director of mSOC, explains, this step is essential for protecting the organization when a security incident strikes.

Establishing the Incident Coordinator

The first and most important role to define is that of the Incident Coordinator. This individual, sometimes referred to as the Incident Commander, is responsible for orchestrating the entire response effort. They are tasked with gathering the situation report, briefing the team, and ensuring that all necessary actions are taken and followed up on.

Angiolelli emphasizes that the Incident Coordinator should be adept at asking the right questions, rather than relying solely on technical expertise. Their role is to enable the team, not to dictate orders. The key is finding someone who can effectively quarterback the response, prioritizing tasks and keeping everyone aligned towards the common goal of protecting the organization.

Securing Top-Level Support

One of the biggest challenges the Incident Coordinator may face is gaining the full support and cooperation of the organization. Angiolelli stresses the importance of securing buy-in from senior leadership, all the way up to the CEO. Without this top-level alignment, the Incident Coordinator may struggle to reprioritize the work of other teams, leading to delays and inefficiencies.

To overcome this, Angiolelli recommends the Incident Coordinator be empowered to “go up the ladder” and escalate to higher levels of management if they encounter resistance or non-responsiveness. This ensures that the incident response process remains the top priority for the entire organization.

Socializing the Incident Response Program

Establishing clear roles and responsibilities is not a one-time exercise; it requires ongoing communication and socialization throughout the organization. Angiolelli suggests that the Chief Security Officer (CSO) or Chief Information Officer (CIO) should take the lead in introducing the incident response program and outlining the expectations for all team members.

This includes clearly defining the Incident Coordinator’s role and authority, as well as setting the expectation that everyone in the organization may be called upon to contribute their expertise during an incident. By socializing the program and setting these expectations in advance, the organization can be better prepared to respond effectively when a security incident occurs.

Leveraging External Expertise

For organizations without an in-house incident response team or experienced Incident Coordinator, Angiolelli recommends engaging external providers. These specialists can bring the necessary expertise and confidence to guide the response, especially in the face of a substantial or existential threat to the business.

The CEO, who is ultimately responsible for the organization’s resilience, can find great value in working with a third-party incident response provider. These experts can help establish the appropriate framework, ensure all key business components are considered, and coordinate the team towards a successful resolution.

Tabletop Exercises: Preparing for the Unexpected

Angiolelli’s parting advice to the audience is to regularly conduct tabletop exercises, where the incident response team can walk through a simulated security incident. This allows the organization to test their preparedness, identify gaps in their roles and responsibilities, and make necessary adjustments before a real crisis occurs.

By investing the time and effort into defining clear roles and responsibilities, organizations can position themselves for a more coordinated, efficient, and effective incident response. As Angiolelli aptly states, “Preparation in advance of the need leads to Clarity in the moment of action.” This proactive approach can make all the difference when the stakes are high, and the organization’s resilience is on the line.

Conclusion

The importance of clearly assigned roles in cybersecurity incident response cannot be overstated. By defining roles such as the Incident Coordinator and ensuring top-level support, organizations can navigate security incidents with greater agility and effectiveness. Socializing the incident response program ensures that everyone understands their role and can contribute effectively when called upon. Moreover, leveraging external expertise and conducting tabletop exercises further strengthens the organization’s readiness.

Ultimately, as Frank Angiolelli emphasizes, preparation and clarity are paramount. Investing in a well-defined incident response plan not only mitigates risks but also enhances the organization’s overall resilience. By adhering to these principles, organizations can turn potential chaos into a controlled response, safeguarding their operations and reputation in the face of cybersecurity threats.