Whose Job is it to Respond to Cyber Incidents Anyway?

No time to read? Listen to this episode here:


Before we get down to the business of the day, here are some cybersecurity news you might have missed last week:


  • Windows, Zoom, Ubuntu, MS Exchange, MS Teams, Safari Hacked at Pwn2Own 2021. The 2021 edition of the hacking contest Pwn2Own which lasted 3 days, saw hackers successfully exploiting the operating systems of high-profile apps. A total of $1.2 million was awarded for the exploits.

  • LinkedIn confirms the leak of 500 million user profiles online. Professional platform, LinkedIn has confirmed the leak of the names, phone numbers, email, and workplace information of 500 million users on a hacker platform for sale. In a statement, LinkedIn maintains that it isn't a data breach, but public-accessible information.

  • Saint Bot, the new malware stealing users' passwords. There's a new villain in town; Saint Bot, a malware downloader currently phishing email addresses to steal user information. One has to be careful with downloading attachments sent from unverified email addresses.

And now to our topic for the week:


Whose Job is it to Respond to Cyber Incidents Anyway?


We live in a world where cyber threats are rife. One moment, a corporation lures potential clients with the promise of impressive data protection and high-grade encryption, the next, hundreds of sensitive data of that same corporation is leaked on the internet.


More often than not, PR swings in combat mode to ‘own the narrative’. But it doesn’t always pan out as intended. Customers leave, or worse, start litigating, affecting the bottom line of the business.


Cyber defense, as well as responding to cyber incidents, is a crisis management function, and therefore is a business-wide priority, from the CEO down to the front desk assistants. Every single employee must be concerned about data protection, as a threat could set everyone in a state of unrest.

We can often predict what comes next; the entire IT department gets replaced with fresh minds and some board members take the backseat.


We can almost sense a pattern of actions implemented by businesses in the event of a cyber threat. Most business execs see these threats as IT concerns, and if these threats can’t be contained by the IT guys, then their jobs should be in question, right?


Actually, not at all.


It is a common misconception to perceive cyber defense as a purely technical matter. The reality is, cybersecurity is loss prevention, and ultimately a crisis management function, and therefore is a business-wide priority, from the CEO down to the front desk assistants. Every single employee must be concerned about data protection, as a threat could set everyone in a state of unrest.


Cross-function collaboration is particularly key in cases when a cyber incident occurs. This is where a comprehensive Cyber Incident Response Program comes into play.

No one fancies the idea of their data at the mercy of a standalone hacker (or worse, an APT) asking for a Bitcoin ransom. Thus, cybersecurity should be ingrained in every single person working with and for a business.


Cross-function collaboration is particularly key in cases when a cyber incident occurs. This is where a comprehensive Cyber Incident Response Program comes into play.


The Cyber Incident Response (IR) Program is a set of guidelines that should be implemented to effectively detect, manage, respond, and recover from cyber-attacks.


Much like with fire drills, training and simulations are equally important. A well-implemented IR Program must include at least annual cross-function Tabletop Exercises - simulation activities where members of the Cyber Incident Response Team (CIRT) walk through their responsibilities and actions in the event of a cyber threat in great detail.


These simulations, much like real incidents, require inputs across a variety of business functions:


  • Core Cyber Incident Response Team/First Responders. An individual or a team of cybersecurity or IT professionals responsible for identifying the potential threat, verifying it, determining the initial level of incident severity and urgency, and performing escalation. If the incident is confirmed as such, the Core CIRT is responsible for hands-on containment, eradication, and recovery activities as outlined in the respective scenario Playbook, as well as for preserving digital forensic evidence and generating Cyber Incident artifacts (e.g. status updates, reports).

  • CIRT Leader. A senior technical professional in the organization responsible for leading and coordinating the Response efforts, typically on a technical level. Depending on the size of the CIRT and the organization, this can be a Systems Administrator, an IT Team Lead or a Cybersecurity Team Lead for small to medium-size businesses, or a Director of IT, a VP of Security, or even a CTO, CIO or CISO in a larger organization.

  • Legal Counsel. An external or internal legal professional, whose main responsibilities include advising on fulfilling compliance and regulatory obligations in case of a cyber incident, advising on the types and contents of external and internal communications, reviewing official statements, and providing general legal guidance to minimize the organizational footprint in case of potential litigation.

  • Senior Human Resources Leader / CHRO. Coordinating Incident-related messaging and updates within the company with Communications, participating directly where required (e.g. Insider Threat scenarios).

  • Senior Communications Leader. Coordinating and leading efforts and messaging pertaining to Incident-related internal and external communications, including public communications, media, regulators, and authorities.

  • Chief Financial Officer. Making decisions pertaining to mitigating financial risk (e.g. decisions on ransom demands), collaborating with other stakeholders on estimating financial impacts and severity of the incident.

  • Chief Operating Officer / Chief Executive Officer. Making key executive decisions, coordinating overall cyber crisis management activities, providing updates to the Board and the public if deemed necessary.

  • Third-Party IT or Infrastructure Provider. An external provider of infrastructure or IT services. Main responsibilities include assigning a responsive and competent contact to communicate with your internal CIRT members, provide information, and respond to requests (e.g. block certain ports, de-provision access for certain accounts). In cases where such a party is present, Wembley Partners recommends establishing a clear communications cadence, expected and acceptable time commitment required, and responsiveness thresholds in advance.

  • Managed Security Services Provider. An external provider of Managed Detection & Response or Cyber Incident Response (e.g. Retainer) services. MSSP can partially or fully replace your Core CIRT, as well as provide additional subject matter expertise and guidance before and during an incident. MSSP would also typically supply sensors and detection mechanisms and specify a certain target detection and response time (for example, up to 2 hours).


Responding to cyber attacks is a function of every level of the corporate hierarchy, especially when such incidents evolve into a full-blown crisis affecting the company's ability to carry out business, its' public image, or the personal safety of its' staff and customers.

Don't forget to subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!