Primary roles and responsibilities of an Incident Handler

Primary roles and responsibilities of an Incident Handler

Primary roles and responsibilities of an Incident Handler

Who is an Incident Handler?

When faced with a cyber incident, an incident handler plans, manages, coordinates, and communicates with fellow cybersecurity professionals to contain and mitigate the incident. The roles and responsibilities of an incident handler vary depending on an organization’s online presence and the type of data collected and stored.

According to the Annual Cost of a Data Breach Study by IBM, the impact of a data breach on an organization is approximately $3.86 million. A skilled incident handler will be able to reduce the financial burden on organizations. Another report by IBM showed that an effective incident response could reduce the cost of a breach by $14 per compromised record!

“Organizations are looking for professional incident handlers and response personnel who can prepare security policies and plans to tackle incidents with efficacy in time-constrained scenarios to reduce the impact of incidents.”

– Jay Bavisi, President of EC-Council Group

The roles and responsibilities of an Incident Handler:

Broadly, an incident handler is expected to:

  • Define, document, and communicate the roles that various professionals would place in the face of an incident. These roles vary, depending on the severity of the incident.
  • Establish, confirm, and publish channels of communication. This is a must to ensure proper flow of tasks and communication to minimize dwelling time.

Additional responsibilities:

  • Combat different types of cybersecurity threats, attack vectors, threat actors, and their motives.
  • Identify the signs and costs of an incident.
  • Perform vulnerability management, threat assessment, risk management, and incident response automation and orchestration.
  • Ensure all incident handling and response best practices, standards, cybersecurity frameworks, laws, acts, and regulations are followed.
  • Ensure a first response procedure, including evidence collection, packaging, transportation, storing, data acquisition, volatile and static evidence collection, and evidence analysis is in place.
  • Use anti-forensics techniques used by attackers to find cybersecurity incident cover-ups.

What to do before the incident?

The more information an incident handler brings to the management, the better the company can strengthen the security system and establish channeled communication during a crisis.

What does it take to become an Incident Handler?

Incident handling requires more than extraordinary skills. It requires never-ending perseverance, especially during times of crisis. The profession calls for respect, courage, and dignity as those of first responders.

Do you want to be an incident handler and work on a containment plan to reduce the cost of damage and mitigate further incidents? Join the industry-recognized credential program, EC-Council Certified Incident Handler (E|CIH). The latest iteration of E|CIH program has been developed in collaboration with cybersecurity and incident handling response practitioners across the globe.


What does an incident handler do?
Incident handlers are responsible for managing a chaotic situation after a cyber attack. The professional will plan, manage, coordinate, and communicate with other staff to contain and mitigate the after-effects of an incident. All the job responsibilities of an incident handler must comply with the already devised incident response plan (IRP).

Read more: 4 Types of incidents that a proactive incident handler should be able to address

Who is responsible for incident response?
An incident response team investigates the significance of the threat, reports the incident impact, and responds and communicates across the company. When not working on any threats, the incident response team meets regularly to review security trends and response procedures within the organization.

Read more: Guide to building an efficient incident response team

What are the six phases of an incident response plan?

Even though each business follows a different IRP, all IRPs possess the same fundamental components as they go through the same six-phase process.

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

Read more: Phases of an incident response plan


get certified from ec-council
Write for Us