Incident responder careers: What’s it like to work in incident response?
As the well-known saying goes, it’s not a matter of if you will be breached, but when. Cybercriminals are relentless in their pursuit to break into your organization’s systems, so to protect themselves, organizations must be at least equally as persistent with their defenses. When a breach occurs, it’s the job of incident responders to mitigate the security violation and restore defenses as quickly as possible.
Incident responders are sometimes referred to as digital forensics incident responders or DFIR. The National Institute of Standards and Technology (NIST) defines digital forensics as the application of science to the identification, collection, examination and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. (For more on this job title, see Digital forensics careers: Public vs. private sector.)
FREE role-guided training plans
But in fact, there are nuanced differences between an incident responder and someone who works as a DFIR. While a DFIR may be narrowly focused on the intricacies of a specific attack (similar but not the same as a malware analyst who works to reverse-engineer attacks), an incident responder is sometimes referred to as a cybersecurity first-responder. They are the first line of defense an organization relies on to mitigate a real-time attack and ensure a quick recovery.
“Every incident is slightly different,” says Keatron Evans, a senior instructor at Infosec and managing consultant at KM Cyber Security, LLC. “I feel like I learn something every time. It’s a very exciting career to be in.”
What does an incident responder do?
NIST defines incident response as the mitigation of violations of security policies and recommended practices. Incident responders are first on the scene to assess what happened and then apply effective mitigation strategies that are both effective and efficient. Cyber incidents are costly, and the quicker the bleeding can be stopped, the better.
On a more strategic level, incident responders are also responsible for designing and implementing an incident response plan. These plans will often look different from one organization to the next. However, their goal is the same: to identify, remediate and recover from cyber incidents. In the NIST Computer Security Incident Handling Guide, they recommend an incident response plan that contains four primary subject areas:
- Preparation, which includes the identification of preventative measures
- Detection and analysis, which includes areas such as indicators, required documentation and notification
- Containment, eradication and recovery, which includes choosing a containment strategy, gathering evidence and identifying attacking hosts
- Post-incident activity, which includes lessons learned and evidence retention policies
Some incident responders work for a large company as part of an incident response team led by an incident manager. Others, like Evans, work as part of a consulting firm that provides incident response services, or they may work independently. As a consultant, Evans says he’s “worked with incident responders within an organization when they realize which skills they have on their team and which skills they don’t. They know to reach out and get [a team like his consultancy] involved.”
What does it take to be an incident responder?
Core to being a good incident responder are two common security positions: strong communication skills and problem-solving. “We think about incident response as more of a technical thing, and it is, but there’s a whole soft management side to it where you have to communicate details of the incident to the right people, at the right time,” Evans says.
Communication and being calm are keys, Evans explains. One real-life example is the LinkedIn data breach from a few years ago when the company first announced 7 million records were hacked. Then, they had to come back out and say it was actually 117 million records. “The technical side is binary. Your technique will work, or it won’t. The people side can be more challenging sometimes; you have to be good at communicating with people, telling them what they need to know when, and calming them down.”
An ability to problem-solve is also essential. How you approach a problem and how persistent you can be in understanding the challenge and solving it helps incident responders succeed. As Evans explains, one of his best penetration testers has a liberal arts background. Still, an interest in computers and tremendous problem-solving abilities lead her to methodically figure things out and excel in the position.
That’s not to say technical skills aren’t necessary too. To be a good incident handler, it’s crucial to have a strong foundation in computer security followed by a mastery of the offensive side of hacking, including ethical hacking and penetration testing, and then forensics. Certification and training that will help you hone your skills and demonstrate them to potential employers include:
- Ethical hacking: Certified Ethical Hacker (CEH), PenTest+ and OSCP certifications; or training in cloud, mobile and web application pentesting
- Incident response: IR and Network Forensics Boot Camp; or training in network traffic analysis or incident response
- Digital forensics: Certified Computer Forensics Examiner (CCFE) and Certified Mobile Forensics Examiner (CMFE) certifications; or a variety of training in different forensic areas
Technical training is necessary for incident responders to do their jobs effectively and to excel in their profession. As Evans puts it, “training was the glue or the hub that allowed me to meet the right people, interact with the right people, and be able to get into security roles.”
For more on this topic, watch the Cyber Work Podcast, How to become an incident responder with Keatron Evans.
What should you learn next?
Sources
- Digital forensics, NIST Computer Security Resource Center
- Incident response, NIST Computer Security Resource Center
- Computer Security Incident Handling Guide, NIST
Get unlimited and self-paced training for you or teams in your organization with Infosec Skills.
- 190+ role-guided learning paths
- 100s of hands-on labs & cyber ranges
- Custom certification practice exams
In this Series
- Incident responder careers: What’s it like to work in incident response?
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity