November 18, 2022 By Mark Stone 4 min read

Today’s threat landscape is ever-evolving and skyrocketing in complexity as bad actors possess more advanced tactics, techniques and procedures (TTP) than ever before. To address these advanced threats, deploying an incident response team is critical for modern organizations.

An incident response (IR) team is responsible for analyzing security systems and responding to potentially harmful threats. IR plays a critical role in ensuring security issues are resolved and performing damage control for any system breach, malware exposure, data loss or other security events.

Being an incident responder can be a fascinating career for anyone in the cybersecurity industry. But often, the role of the incident responder may not be so clear. Opinions about the job vary, and many of those beliefs should be dispelled.

So what do people get wrong about incident responders? Are there significant cases of expectations versus reality? Are there limits to what IR professionals can do versus what they are expected to do?

Like anything in cybersecurity, proactivity wins

Foremost, the role of IR will almost always depend on an organization’s overall security posture, tools and prioritization of cybersecurity. Generally speaking, if the company does not place enough importance on cybersecurity, anyone in the IR team is at risk of burning out.

Some may say that incident response can be tedious, but it depends on many factors. In some (unfortunate) cases, IR can resemble a never-ending game of Whack-A-Mole. But if the organization takes a proactive stance to understand how incidents occur and consistently aims to improve security controls, new incidents can be preventable and false positives minimized.

Independent security researcher Rod Soto has worked on several incident response teams and believes that the most prevalent case for “expectation versus reality” is the thinking most IR plans apply to most organizations.

“It is very difficult to have a one size fits all IR plan,” Soto said. “It is necessary to have a plan and team in place, but be aware of unexpected events and shortcomings that may surge during incidents. Plans and procedures can provide a scope of action, but they need to be malleable and able to extend to the size of the incident.”

Another common IR belief Soto often dispels is the false sense of security that a team can have everything covered.

“In most enterprises, it is simply not possible to foresee every single scenario,” he said. “You can prepare for those you deemed of utmost importance and consideration, but other than that, there will be unexpected scenarios and threats that can simply not be anticipated.”

Explore the Incident Responder Study  

OK, but what is it really like working as an IR professional?

Depending on the organization, your mileage as an IR professional may vary. Some incident responders perceive their job as a type of cybersecurity help desk — more of an entry-level role that will provide great exposure to tools and experience to prepare for other roles. Even those sharing this mindset perceive the role as a stepping stone to a lucrative cybersecurity career.

On the other hand, some incident responders enjoy the challenge of detecting, managing and remediating threats — especially when they’re not dealing with the same threat types every day. This brings us back to the importance of a proactive organization: If the IR team is dealing with the same threats day after day and must learn to tune out noisy alerts (false positives), the job will be tedious.

IR teams that face new and interesting threats are typically more engaged, and in turn, play a crucial role in closing the feedback loop to ensure that they’re not consistently seeing the same threats and incidents.

What are the limits to what IR professionals can do versus what they are expected to do? How does that affect their day-to-day?

According to Soto, the expectations placed upon incident responders are significant: They need to wear many hats, have a diversity of skills, comply with unrealistic deadlines and deal with multiple departments and third parties. “Often, IR teams must walk a thin line because of corporate and legal repercussions that can affect their careers,” he said.

How an organization should plan for incident response is beyond the scope of this article. But for incident responders, here are a few ways that can help make the job easier.

First, it’s essential that IR teams get support from the C-suite and other departments. While incident responders and the IT department lead IR efforts, participation from as many business units as possible can go a long way to improving the workday of an incident responder.

Next, roles and responsibilities for all team members must be defined as clearly and specifically as possible. Roles should also be documented and communicated so the team can coordinate more efficiently when an incident happens.

And of course, effective communication is key. While communication is crucial to any project, it’s especially relevant to IR. Communicating and documenting who, how and when to contact all relevant parties (both internal and external) streamlines the process and only makes things easier.

But ultimately, and not unlike other cybersecurity careers, it all boils down to this: You need to find the right work-life balance that works for you.

If you’re talented and have robust credentials, you’ll always have work. If you’re unhappy, there will likely be many other opportunities. Ask as many questions as possible before accepting a role, and make sure expectations are clear. Take as many steps as necessary to avoid burnout, which is so common in the cybersecurity industry.

IR can be a wonderful experience or a monotonous one. But when organizations are proactive about cybersecurity, the life of today’s incident responder is more often the former.

More from Security Services

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today