Incident Response

Guide to Building an Efficient Incident Response Team

With the growing number of threats and an increase in their frequency, it is becoming critical for organizations to maintain an incident response team. A dedicated group of professionals who can defend servers, networks and other IT infrastructure and can respond actively to the security incidents is the need of the hour. The team may comprise of experts working either full-time, part-time or on consulting services.

The comprehensive response provided by an incident response team includes changes recommended to systems or organizational practices as protective guidance against future incidents. It also points at non-technical concerns, such as status reporting, handling personnel issues, assisting counsel, managing internal communications, etc.

The Role of an Incident Response Team:

Incident response is a group of members who handle independent roles, multiple roles, or shared roles based on the core requirement. Here we list out a few general roles of an incident response team, but there may be more specific roles based on one’s IR plan. Before we define the team roles, here are a few points that should be considered while defining them:

Define, Document, and Communicate – The roles should be documented and clearly communicated to them to ensure clarity and coordination within the team. Well-defined and documented team roles enable efficacy of the team in case of crisis.

Establish, Confirm, and Publish Channels of Communication – Effective communication binds the team and keeps them motivated. This is significant in incident handling as communication plays a major role when dealing with threats. Listing out all contacts (internal and external) and defining and documenting a planned strategy about whom to contact and the flow of tasks or communication such as media, law enforcement, etc. minimizes panic and reduces the time spent on containment too.

Inter-departmental Participation Required – Incident response team seeks support from the IT security department as well as from legal and HR. IR being part of the IT security seeks the participation of at least one executive from major business units. The HR and legal departments support filling the requirement gaps, corporate security, privacy and consulting services.


Role Responsibility
Team Leader Coordinates and leads incident response team activity by encouraging the team to minimize damage and maintain a quick containment time.
Lead Investigator Analyses evidence, directs the team members, determines root cause, and implements a rapid system.
Communications Lead Acts as an active communication link for the management, inter-departments, stakeholders, legal advisors, and others concerned with the IR process.
Documentation Lead Documents investigation process, team activities, and discovery and recovery tasks. Also, determines a timeline for every stage of the incident.
HR/ Legal Representation IR team should have an external supporting executive for legal and HR guidance so that the response is performed efficiently.


The Goal of an Incident Response Team


Investigate                                        Report Response
·         Determine priority of the threat.

·         Determine and document the scope and its impact.

·         Define asset value or impact.


·         Categorize security incidents based on impact.

·         Collect trending data and information to present the importance of incident response and the difference it can bring to the overall business.

·         Investigate root cause.

·         Document findings.

·         Implement IR strategies

·         Communicate with team members.


The main responsibility of an incident response team is to deal with the impact of an attack and the containment process.  Hence, they play an important role in drafting the overall security policy in the organization. The more information incident response team brings to the management, the better the company can strengthen the security system and establish channeled communication during a crisis.

An incident response team investigates the significance of the threat, reports the incident impact, and responds and communicates across the company. When not working on any threats, incident response team meets regularly to review security trends and response procedures within the organization. If required, they draft new strategies and implement them after being approved by management.

Choosing Incident Response Team Members

Aim for round-the-clock availability In the absence of fulltime professionals consider other options Monitor and motivate team
Incident response is a 24/7 job which demands the attention of 365 days of a year. Though practically, one cannot be onsite forever but consider staying closer to the workplace so that commuting shall become easy. While fulltime hiring may not be possible, your existing information security team can be trained to acquire the necessary skills to respond quickly when required. Incident response is a stressful job and constant boosting the team will help in keeping the morale of the team. The staff burnout should be attended immediately by hiring new analysts or by training the existing ones.


Incident response requires extraordinary skills who has never-ending perseverance towards the task, mostly during times of crisis. It is not for the faint of heart and that is what challenges many cybersecurity professionals to join the IR team. The real draw of being on the IR team is leadership which is an exciting opportunity for those aspiring leaders who want a challenging role. The profession calls for respect, courage, and dignity which keeps the members motivated all the time.

Do you want to be a part of this recognized job role of incident handling? Become an EC-Council Certified Incident Handler now. It is a method-driven comprehensive program that uses a holistic approach to cover vast concepts of incident handling and response management from preparing for the response process to the recovery of organizational assets after the incident.

Editor's Note:
Reviewed by Miguel Halling, President, Information Security Department, Incident Management, DLP Operations at BNY Mellon and Vince Peeler, Sr. Manager, Cyber Intelligence Services at UnitedHealth Group
get certified from ec-council
Write for Us