When was the last time you took a long road trip and didn’t consult a map either before or during the drive? The prudent, risk-managed response is never, or at least rarely.

This logic extends to incident response planning — the process of pulling together a roadmap that helps you implement a cybersecurity incident management capability in alignment with your organization’s unique requirements (i.e., mission, size, structure and functions). Just as when you’re successfully navigating your way cross country, your guiding principle here should be “begin with the end in mind.” You want your incident response plan to be informed by the knowledge and experience of best-practice experts and resources who have been there before. This approach not only enables you to get the right things right the first time but also launches nascent incident response capabilities to much higher levels quickly and efficiently.

Every incident response plan should map the incident response lifecycle: prepare, detect, analyze, contain, eradicate, recover and lessons learned. Minimum plan components should include incident severity classification criteria, the incident response team roster, forensic evidence handling standards, lists of topical internal and external resources, and procedures or playbooks that guide technical response steps specific to the threat scenarios likely to impact you.

The best way to embed all this quickly, and with maximum utility and efficiency, is to look beyond the boundaries of your own planning horizon to resources like NIST and the U.S. CERT, as well as third-party incident response planning experts, and then engage this knowledge around your planning effort. Equally as important is keeping an existing incident response plan up to date. These same external resources have already encountered and taken in the leading edges of the current threat spectrum, and as a result, are readily available to respectively advise or inform.

Next steps

  • Commit to a standards-based planning approach: Practice makes perfect, and as result of the exacting process for their acceptance, standards represent unassailable planning criteria that you can trust have already proven successful many times over.
  • Bring specialized resources into the planning process: Why go it alone? And why waste the time associated with trial and error? Reach outside and rely on trusted experts as both process enablers and force multipliers to most quicky home in on what’s most important to you.
  • Focus on the highest-risk, leading-edge threat scenarios: While your incident response plan should evolve over time, today’s cyber threats are such that you need playbooks for certain incident scenarios nearly immediately. As result, it’s critical that you quickly identify and implement these at the very beginning — expert knowledge enables this to happen.
  • Plan your work, work your plan: Train and test, absorb lessons learned and then train and test some more until you can do it in your sleep. External experts are highly skilled at compressing this cycle.