Absent a clear-cut authoritative leader, incident response teams falter in the face of time-sensitive events. A top-shelf incident response plan will account for the position of incident response director, dictating responsibilities, clarifying decision-making authority, and providing a roadmap for guiding the team through standard incidents.
LEO’s incident response framework labels procedural steps by discipline, illustrating coordinated actions for each team member, which in turn gives valuable insight to the director.
Team direction is a sensitive subject for many incident response teams, most probably because of the structure of the average crisis management program. Look at the evolution of a cyber attack. Oftentimes it begins as a SIEM alert from within the Information Security department. If the alert proves significant enough, it may be flipped up to the full spread incident response team. Incidents showing significant impact to company operations may pull in a company’s business continuity team or operational crisis management team.
Companies rightfully struggle with how to parse roles and handle situations such as this. NASA dealt with the same issue, but fortunately, the Mission Control dynamic offered an inherent solution, one which LEO has incorporated into its incident response framework. Incident response teams should have a dedicated director. Where this director comes from, what authority he/she holds, and how he/she is trained are the questions.
LEO’s program answers these queries and provides a roadmap for selection, training, and guidance of an incident response director. In addition, procedures and rules are fashioned with an incident response director in mind, making it easier to initiate and track team actions during time-sensitive events.