You have an incident response plan, right? But how do you know it’s effective? Is there anything you’re overlooking? What will happen at your organization in the event of a data breach or security incident? While many organizations have a plan in place, far fewer test it and are confident in it if the need to execute should arise.

March 2018 research from the Ponemon Institute found that 77 percent of respondents said their organization does not have a formal cybersecurity incident response plan. Almost half of the respondents said their organization’s plan is either informal and ad hoc — or nonexistent.

“They’re not prepared,” said Sean Mason, director of threat management and incident response at Cisco Security Advisory Services. “It should be the starting block.”

Read the Ponemon Institute’s Third Annual Study on the Cyber Resilient Organization

Get Started on Incident Response Improvements

Many security analysts and consultant agree: It’s time to get serious about incident response. With data breaches and other cyberattacks increasing annually, organizations should be well-prepared and secure. To ensure your plan is effective, it should include the following four elements.

1. It’s Tested Consistently

While many organizations claim to have an incident response plan, few actually put them to the test. This is mistake number one, because unless it’s been tested, you really have no idea if it is effective.

“The best organizations that I see who are prepared are ones that are doing that proactive work,” said Mason. “They’re doing tabletop exercises — they’re doing red team versus blue team.”

Much like exercise, routinely testing an incident response plan gives an organization the practice it needs to identify weak spots and make improvements. “Go through and simulate incidents, committing it to muscle memory as it’s tested on a routine basis,” said Mason.

2. It’s Detailed but Flexible

An incident response plan should include detail but also be flexible so it can be applied to different kinds of attacks and incidents.

A good incident response plan gives you enough lateral movement for a wide range of incidents,” said Steve Armstrong, a SANS Institute instructor and 20-year veteran of security and incident response. “I’ve articulated incident response plans in spreadsheets, and they have a table for each type of incident.”

Flexibility and variety in an IT plan also ensures it can be updated regularly — so it can evolve as cyberattacks change over time.

3. It’s Clear About Communication

Clear communication plans are also essential for incident response. Armstrong said many incident response plans are informal and don’t have a solid understanding of how the network comes into play in incident response communication.

“Plans need to make clear how post-incident communication will be secure,” Armstrong said. “It needs to be not on network, particularly if it has been compromised.”

Listen to the podcast: Get Smarter About Disaster Response

4. It’s Inclusive When It Comes to Stakeholders

A concise list of stakeholders and how each should be involved in incident response is also crucial. “An organization should understand its environment and what it’s trying to protect, and who is on its team,” Armstrong said. “Who is up-front striking goals and who is the safety net in back?”

“If it’s an incident with multiple machines, you should have already gone through and thought about security, networking, business and finance,” said Mason. “And who are your external partners that are going to help in a time of crisis? It is easy to think through and say, ‘We got this.’ But then think, ‘If I have 10,000 machines impacted by ransomware, who is going to do all that work?'”

An incident response plan should also include the intention to get your legal department involved as early on in the process as possible. “You should have involved legal right out of the gate,” said Mason. Your legal department can often advise if it’s necessary to involve law enforcement or other external partners.

Incident response remains a significant challenge for most organizations globally and is hindering cyber resilience. Consider these four recommendations to improve your plan.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read