Incident response (IR) plans always seem to make “top security best practices” lists. However, there continues to be widespread confusion about what actually goes into them and how to ensure they are successful. Worse yet, some companies still don’t have one at all. In fact, a recent report by Shred-it found that 63% of C-level executives and 67% of small businesses in the U.S. do not have an IR plan. And, research from Egnyte reveals only 64% of mid- sized companies have a formal IR plan in place.

As an industry, we need to hammer on the importance of developing an IR plan, and including the right components within, to ensure success. And, earlier this month, I had the opportunity to share my thought leadership on this very subject. I recorded a video for Help Net Security detailing my five “golden rules” for developing and executing successful IR plans. I feel it’s worth sharing here given the crucial role they play in defending against today’s advanced cybercriminals.

These are best practices I’ve developed in my more than 20+ years in cybersecurity. Many of these have been devoted to helping organizations of all sizes build security operations and IR teams. And, my hope is that these five golden rules clear up any existing confusion around how to ensure IR programs are successful.

The Golden Rules

With that said, here are my five tips for mastering IR plans, as outlined in my Help Net Security video:

  1. Take a minimalist approach to technology
    It’s easy for organizations to throw a bunch of technology at the cybersecurity problem in the hopes that something sticks. But, this approach only results in tool sprawl, technical debt, and complicated architectures that introduce risk and negatively affect the IR process. When implementing technology to aid in IR, security teams should take care to implement the minimum number of tools, services, and solutions required to effectively identify, detect, and respond to threats. This will help streamline infrastructures and enhance security, and also keep costs under control
  2. Keep IR processes concise and to the point
    Don’t overcomplicate things with IR playbooks that are 500 pages long. This will only result in failed process checks because no one has the time to read and learn that amount of information. Similar to the technology component, implement the minimum number of processes required for security analysts to observe, orient, decide, and act on threats.
  3. Get the right people in place
    Determine how many people and what roles are required for IR to be successful. IR needs to be a cross-collaboration effort between security and business leaders (legal, PR, business unit leaders, C-suite, etc.). Business leaders will care more about IR and cybersecurity if they have ongoing communication and collaboration with security teams.
  4. Prioritize testing
    Security analysts test IR plans every day when they respond to security incidents, but this isn’t enough to ensure they work when they’re needed most. All participants in IR plans – including business leaders – need to test, practice, and partake in tabletop exercises on an ongoing basis. Without testing, a company will be caught ill-prepared in the middle of a crisis.
  5. Ensure post-incident learning
    When a security event or incident does happen, many companies don’t take the time to review what happened. They don’t learn from the security failures and remediate areas of risk. This is an important step that needs to happen to prevent the same security issues from happening again.


Kudos to the Help Net Security editorial team for wanting to provide clarity on a much talked about, but not neatly defined, area of cybersecurity. I’m fortunate to be able to use my decades of experience and thought leadership platform to share my expertise and bring clarity to this very important topic.

Have a question about your organization’s IR plan? Hit me up at @ITJunkie.