Today’s threat landscape is ever-evolving and skyrocketing in complexity as bad actors possess more advanced tactics, techniques and procedures (TTP) than ever before. To address these advanced threats, deploying an incident response team is critical for modern organizations.
An incident response (IR) team is responsible for analyzing security systems and responding to potentially harmful threats. IR plays a critical role in ensuring security issues are resolved and performing damage control for any system breach, malware exposure, data loss or other security events.
Being an incident responder can be a fascinating career for anyone in the cybersecurity industry. But often, the role of the incident responder may not be so clear. Opinions about the job vary, and many of those beliefs should be dispelled.
So what do people get wrong about incident responders? Are there significant cases of expectations versus reality? Are there limits to what IR professionals can do versus what they are expected to do?
Like Anything in Cybersecurity, Proactivity Wins
Foremost, the role of IR will almost always depend on an organization’s overall security posture, tools and prioritization of cybersecurity. Generally speaking, if the company does not place enough importance on cybersecurity, anyone in the IR team is at risk of burning out.
Some may say that incident response can be tedious, but it depends on many factors. In some (unfortunate) cases, IR can resemble a never-ending game of Whack-A-Mole. But if the organization takes a proactive stance to understand how incidents occur and consistently aims to improve security controls, new incidents can be preventable and false positives minimized.
Independent security researcher Rod Soto has worked on several incident response teams and believes that the most prevalent case for “expectation versus reality” is the thinking most IR plans apply to most organizations.
“It is very difficult to have a one size fits all IR plan,” Soto said. “It is necessary to have a plan and team in place, but be aware of unexpected events and shortcomings that may surge during incidents. Plans and procedures can provide a scope of action, but they need to be malleable and able to extend to the size of the incident.”
Another common IR belief Soto often dispels is the false sense of security that a team can have everything covered.
“In most enterprises, it is simply not possible to foresee every single scenario,” he said. “You can prepare for those you deemed of utmost importance and consideration, but other than that, there will be unexpected scenarios and threats that can simply not be anticipated.”
OK, But What is it Really Like Working as an IR Professional?
Depending on the organization, your mileage as an IR professional may vary. Some incident responders perceive their job as a type of cybersecurity help desk — more of an entry-level role that will provide great exposure to tools and experience to prepare for other roles. Even those sharing this mindset perceive the role as a stepping stone to a lucrative cybersecurity career.
On the other hand, some incident responders enjoy the challenge of detecting, managing and remediating threats — especially when they’re not dealing with the same threat types every day. This brings us back to the importance of a proactive organization: If the IR team is dealing with the same threats day after day and must learn to tune out noisy alerts (false positives), the job will be tedious.
IR teams that face new and interesting threats are typically more engaged, and in turn, play a crucial role in closing the feedback loop to ensure that they’re not consistently seeing the same threats and incidents.
What Are the Limits to What IR Professionals Can Do Versus What They are Expected to Do? How Does That Affect Their Day-To-Day?
According to Soto, the expectations placed upon incident responders are significant: They need to wear many hats, have a diversity of skills, comply with unrealistic deadlines and deal with multiple departments and third parties. “Often, IR teams must walk a thin line because of corporate and legal repercussions that can affect their careers,” he said.
How an organization should plan for incident response is beyond the scope of this article. But for incident responders, here are a few ways that can help make the job easier.
First, it’s essential that IR teams get support from the C-suite and other departments. While incident responders and the IT department lead IR efforts, participation from as many business units as possible can go a long way to improving the workday of an incident responder.
Next, roles and responsibilities for all team members must be defined as clearly and specifically as possible. Roles should also be documented and communicated so the team can coordinate more efficiently when an incident happens.
And of course, effective communication is key. While communication is crucial to any project, it’s especially relevant to IR. Communicating and documenting who, how and when to contact all relevant parties (both internal and external) streamlines the process and only makes things easier.
But ultimately, and not unlike other cybersecurity careers, it all boils down to this: You need to find the right work-life balance that works for you.
If you’re talented and have robust credentials, you’ll always have work. If you’re unhappy, there will likely be many other opportunities. Ask as many questions as possible before accepting a role, and make sure expectations are clear. Take as many steps as necessary to avoid burnout, which is so common in the cybersecurity industry.
IR can be a wonderful experience or a monotonous one. But when organizations are proactive about cybersecurity, the life of today’s incident responder is more often the former.