Incident response

Incident Responder Career Roadmap: From Entry Level to Executive

Graeme Messina
February 9, 2018 by
Graeme Messina

Introduction

Finding a career as an incident responder has never been more possible than it is today. Practically every medium- to large-sized company should have either an in-house dedicated team of cybersecurity specialists, or service providers that can perform the function of an incident responder on their behalf.

Such teams can be deployed within strict time frames to act as a first-response team to help manage, mitigate and resolve any incident that involves critical IT systems within an organization.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

What is an Incident Responder?

The roles of this position vary from company to company, but the core responsibility is to detect intrusions and respond to incidents with urgency and precision. An incident responder must mitigate any damage to company systems, and restrict access to unauthorized intrusion attempts.

This access will usually be tapped off before being completely disconnected, as an incident responder will want to gather as much information about the attack as possible. Once this information has been gathered, the connection will be terminated and countermeasures will be put in place to prevent such occurrences from happening again.

Other names for this role include computer emergency response team (CERT) member, computer network defense incident responder (CND, or cyber security incident responder team (CSIRT) member.

Entry-Level Incident Response Positions

Becoming an incident responder is not always achieved in a straight line of job progression. Many professionals that become an actual incident responder or part of a computer emergency response team (CERT) do so by progressing through entry- to mid-level positions first. These can include:

  • Network administrator: The knowledge gained in this position will help potential incident responders build a wealth of networking knowledge. Attention to detail is important in this role, and being able to sift through system configurations, site layouts and general network and communication setups are essential skills. These can be built upon with specialized incident responder training and certification. Click here for a suggested career track.
  • System administrator: Learning how to manage resources within your organization, as well as user behaviour, is another important starting point for an incident responder. Understanding the potential damage that users, bad security configurations and poor IT policies and procedures can unleash upon your network will give future candidates insight into the human component of an incident. Click here for a suggested career track.
  • Security administrator: This is a great starting point for many higher-level positions within a company’s IT hierarchy. Basic hacking skills, penetration testing and intrusion detection are all learned in such a role, which are important incident responders skills when trying to reproduce a breach or attack. Understanding what avenues a cybercriminal will use when trying to damage or gain access to a system can make the task of reverse engineering the incident much easier. Click here for a suggested career track.

These are excellent starting points for any IT professional that would like to become a member of an incident response team. InfoSec Institute provides training for all levels of security professionals — click here to view their course library.

With entry-level experience, candidates are then able study courses such as the CISM or CISSP and enter more managerial positions. If hands on technical work is more your speed, then going into a pure forensics role might suit your requirements.

Mid-Level Incident Response Positions

Once you have attained further certifications and valuable hands-on experience, you may find that the following roles become available to you as a result of your improved skills and knowledge:

  • Computer security incident response team (CSIRT) engineer
  • Cyber incident responder
  • Incident response engineer

All three of these titles, although different, require very similar skills and characteristics from a candidate. Personal attributes also begin to count for a lot at this level as an incident responder, with problem solving, time management and even presentation skills becoming more necessary as your career begins to head towards a management-facing role.

Technical skills involve being able to assess and mitigate threats, both past present and future, while maintaining communication with management and the rest of your team. Data analysis and evidence collection starts becoming more important, and the scenarios where your services are deployed are more serious.

Problem solving skills are vital at this level of incident response, and as the stakes get higher, so too does the pressure involved in each case. Programming skills become a requirement at this level, as incident responders may be required to reverse engineer malicious code or even create fixes for vulnerable applications or services on the network.

Senior-Level Incident Response Positions

Once you have the suitable experience and necessary qualifications under your belt, you can expect to land a job with a title such as:

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.
  • Intrusion detection specialist: Having a CISSP certification will go a long way towards preparing a potential candidate for taking up the role of intrusion detection specialist. Whether unauthorized access is initiated through a website or direct connection, it is the job of an intrusion detection specialist to find and stop any unauthorized communications. You may find that as a more senior player, you will be a lead responder in some instances, with junior staff on hand to assist and learn from you.
  • Incident manager: At this level, you are expected to have many years in the field, as well as managerial experience. You will be expected to plan, oversee, manage and supervise all incident response team activities. You will be responsible for communicating all current events to senior management and stakeholders, while acting as technical lead on ongoing incidents for your incident responders. Threat and impact assessments must be compiled and communicated effectively to management, and operational downtime must be explained, minimized or avoided altogether.

Other Additional Beneficial Certifications

There are many different certifications to help potential candidates become qualified for an incident responder position. Not all of the following are necessary, but there is little doubt each will add more depth and understanding to this discipline. Be sure to take a look at InfoSec Institute’s Incident Response and Network Forensics Boot Camp for more details.

  • CCE: Certified Computer Examiner: The CCE helps introduce candidates to the law enforcement component of computer forensics. This is a crucial certification to have when evidence collection and forensic methodologies are required.
  • CEH: Certified Ethical Hacker: In order for an incident responder to catch a hacker, they themselves must be able to hack. This is a very popular choice for cyber security experts that want to learn the art of hacking.
  • CCFE: Certified Computer Forensics Examiner: This certification will teach students how to investigate computer threats and computer-based crime. It is a forensically detailed course that will provide students with real-world utility and functionality.
  • CMFE: Certified Mobile Forensics Examiner: This is the mobile-device version of the previous certification that teaches students how to secure and forensically investigate mobile devices. A forensic approach to investigation is crucial if evidence collection and analysis ends up going to court.
  • CPT: Certified Penetration Tester: Securing your environment means knowing how to bend or break the rules when it comes to cybersecurity. The CPT will teach students how to think like a hacker, allowing them to probe and target vulnerabilities within their own systems to gain access. This is an important skill set to have if you are hoping to catch tech-savvy criminals in the act of breaching your network.
  • CREA: Certified Reverse Engineering Analyst: Reverse engineering is a rare ability, even amongst incident responders. Being able to successfully reverse a binary will give insights into how malicious code was introduced during an attack, and how to mitigate the damage. Having this certification under your belt will separate you from other candidates when vying for a coveted position as incident responder within a company.

Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.