Incident response

Expert Tips on Incident Response Planning & Communication

March 21, 2018 by Dimitar Kostadinov

An organization’s ability to recover quickly in the wake of a cyberattack is directly proportional to their incident response capabilities. In essence, incident response (IR) is a procedure designed to address security breaches in a coordinated way to limit their negative effects and reduce recovery time and costs.

Much has been said and written about the usefulness and necessity of IR, especially in the context of information technologies. This article, however, focuses on two primary IR aspects:

  1. Challenges related to putting the IR plan into practice
  2. Methods to communicate the IR plan

To clarify these points, we invited expert Darrell Switzer to share his insights on effective IR plan development. Darrel is the managing director of incident response and cyber resilience services at Kudelski Security.

1. What Are the Biggest Challenges When Developing, Testing & Implementing an Incident Response Plan?

Switzer: Initially, the biggest challenge is getting the IR plan aligned with the actual capabilities and resources of the organization. The gold-standard IR plan assumes a gold-standard detection and response capability — something that doesn’t exist in most organizations.

Best practice incident response plans only work for compliance audits. A strategically implemented incident response plan must align with the company culture, business goals and technical capabilities of the organization to be successful in the long term. Incident response plans taking a purely technical approach to security breaches and do not involve business strategy in the development of the plan routinely fail. Without buy-in from key business stakeholders, the incident response plan will not have the executive support and resource dedication required to be effective.

All members of the primary and extended incident response teams must be trained on their individual responsibilities during an incident. Role playing and tabletop exercises replicating the most likely attack scenarios are effective approaches to exposing the existing plan to critique, exercising your team and their response processes.

Crisis situations demand calm leadership. Executive-level tabletop exercises are also a proven approach to ensure the executive team is prepared to manage a large-scale breach scenario, including how to answer difficult questions and make business-appropriate decisions under pressure.

2. What Is the Best Way to Communicate the Incident Response Plan?

Switzer: Communication of the incident response plan involves several working groups. The first is the executive leadership team who must ensure everyone in the organization is aware of the importance of the incident response plan and must champion any required changes in the organization.

Traditional communication platforms such as newsletters, Intranet and internal company emails are all proven methods to increase your organization’s security awareness and gain their needed support in identifying incidents quickly. Attack simulations and tabletop exercises are also very effective ways to help your team understand what actions will be required of them during an incident.

Tabletop exercises should be conducted at the executive and technical level. The executive leadership team needs to understand critical decisions are made during an incident and their impact can potentially extend far beyond the impact of the actual incident. Tabletop exercises geared towards technical teams and subject matter experts are also very effective in identifying gaps in security tools, processes and training. These technical exercises are objective based, requiring the response team to prove the accuracy of tools, effectiveness of containment steps and execution of remediation processes.


It’s clear that without an IR plan, the IR team will likely fail to manage a security incident effectively. It is also essential for company leadership and other relevant departments to be involved in the IR planning process. In addition, making incident response (and basic information security for that matter) a key part of company culture seems to be the real solution for preventing many security challenges.

During an incident, it is very likely chaos will rise. Poor data sharing practices between the IR team, IT operations team and other stakeholders can hamper the overall success of incident response. Consequently, a well-defined communication protocol is the perfect tool to manage affected departments and stakeholders in a time of crisis. As any part of the IR plan, the communication plan must be documented, tested and validated regularly to ensure it meets the company’s requirements.

Even the most advanced technologies become useless without proper planning, staff training and regular upkeep. Attack simulations and tabletop exercises as a viable alternative to traditional methods of disseminating the IR plan among other employees. Such methods provide excellent illustrative examples and require active participation from all people involved. Following this approach, the two-dimensional text in the IR plan becomes three-dimensional, because participants apply the procedure in practice.


Posted: March 21, 2018
Dimitar Kostadinov
View Profile

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.