November 18, 2022 By Mark Stone 4 min read

Today’s threat landscape is ever-evolving and skyrocketing in complexity as bad actors possess more advanced tactics, techniques and procedures (TTP) than ever before. To address these advanced threats, deploying an incident response team is critical for modern organizations.

An incident response (IR) team is responsible for analyzing security systems and responding to potentially harmful threats. IR plays a critical role in ensuring security issues are resolved and performing damage control for any system breach, malware exposure, data loss or other security events.

Being an incident responder can be a fascinating career for anyone in the cybersecurity industry. But often, the role of the incident responder may not be so clear. Opinions about the job vary, and many of those beliefs should be dispelled.

So what do people get wrong about incident responders? Are there significant cases of expectations versus reality? Are there limits to what IR professionals can do versus what they are expected to do?

Like anything in cybersecurity, proactivity wins

Foremost, the role of IR will almost always depend on an organization’s overall security posture, tools and prioritization of cybersecurity. Generally speaking, if the company does not place enough importance on cybersecurity, anyone in the IR team is at risk of burning out.

Some may say that incident response can be tedious, but it depends on many factors. In some (unfortunate) cases, IR can resemble a never-ending game of Whack-A-Mole. But if the organization takes a proactive stance to understand how incidents occur and consistently aims to improve security controls, new incidents can be preventable and false positives minimized.

Independent security researcher Rod Soto has worked on several incident response teams and believes that the most prevalent case for “expectation versus reality” is the thinking most IR plans apply to most organizations.

“It is very difficult to have a one size fits all IR plan,” Soto said. “It is necessary to have a plan and team in place, but be aware of unexpected events and shortcomings that may surge during incidents. Plans and procedures can provide a scope of action, but they need to be malleable and able to extend to the size of the incident.”

Another common IR belief Soto often dispels is the false sense of security that a team can have everything covered.

“In most enterprises, it is simply not possible to foresee every single scenario,” he said. “You can prepare for those you deemed of utmost importance and consideration, but other than that, there will be unexpected scenarios and threats that can simply not be anticipated.”

Explore the Incident Responder Study  

OK, but what is it really like working as an IR professional?

Depending on the organization, your mileage as an IR professional may vary. Some incident responders perceive their job as a type of cybersecurity help desk — more of an entry-level role that will provide great exposure to tools and experience to prepare for other roles. Even those sharing this mindset perceive the role as a stepping stone to a lucrative cybersecurity career.

On the other hand, some incident responders enjoy the challenge of detecting, managing and remediating threats — especially when they’re not dealing with the same threat types every day. This brings us back to the importance of a proactive organization: If the IR team is dealing with the same threats day after day and must learn to tune out noisy alerts (false positives), the job will be tedious.

IR teams that face new and interesting threats are typically more engaged, and in turn, play a crucial role in closing the feedback loop to ensure that they’re not consistently seeing the same threats and incidents.

What are the limits to what IR professionals can do versus what they are expected to do? How does that affect their day-to-day?

According to Soto, the expectations placed upon incident responders are significant: They need to wear many hats, have a diversity of skills, comply with unrealistic deadlines and deal with multiple departments and third parties. “Often, IR teams must walk a thin line because of corporate and legal repercussions that can affect their careers,” he said.

How an organization should plan for incident response is beyond the scope of this article. But for incident responders, here are a few ways that can help make the job easier.

First, it’s essential that IR teams get support from the C-suite and other departments. While incident responders and the IT department lead IR efforts, participation from as many business units as possible can go a long way to improving the workday of an incident responder.

Next, roles and responsibilities for all team members must be defined as clearly and specifically as possible. Roles should also be documented and communicated so the team can coordinate more efficiently when an incident happens.

And of course, effective communication is key. While communication is crucial to any project, it’s especially relevant to IR. Communicating and documenting who, how and when to contact all relevant parties (both internal and external) streamlines the process and only makes things easier.

But ultimately, and not unlike other cybersecurity careers, it all boils down to this: You need to find the right work-life balance that works for you.

If you’re talented and have robust credentials, you’ll always have work. If you’re unhappy, there will likely be many other opportunities. Ask as many questions as possible before accepting a role, and make sure expectations are clear. Take as many steps as necessary to avoid burnout, which is so common in the cybersecurity industry.

IR can be a wonderful experience or a monotonous one. But when organizations are proactive about cybersecurity, the life of today’s incident responder is more often the former.

More from Security Services

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

How I got started: Attack surface management

4 min read - As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management. These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today