Get Instant Access
to This Blueprint

Security icon

Develop and Implement a Security Incident Management Program

Create a scalable incident response program without breaking the bank.

Security incidents are inevitable, but how they’re dealt with can make or break an organization. Poor incident response negatively affects business practices, including workflow, revenue generation, and public image.

The incident response of most organizations is ad hoc at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and inefficient allocation of resources.

Our Advice

Critical Insight

  • Embrace the use of ready-made responses when handling incidents. These pre-established response plans can save valuable time and effort during a crisis. By relying on proven and tested procedures, your team can respond swiftly and efficiently, minimizing the impact of incidents and ensuring a consistent approach to resolving security breaches.
  • Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be revictimized by the same attack vector.
  • Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.

Impact and Result

  • Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
  • This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

Develop and Implement a Security Incident Management Program Research & Tools

1. Develop and Implement a Security Incident Management Program Deck – A step-by-step document that walks you through how to develop and implement a security incident management program.

Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities. Read our blueprint to find out how to develop and implement a security incident management program, review Info-Tech’s methodology, and understand how we can support you in completing this project.

2. Prepare – A set of tools designed to help you prepare your organization for incident response.

Equip your organization with formal documentation of policies and processes.

4. Maintain and optimize – Tools that will help manage and improve the incident management process.

Use these tools to track metrics, test capabilities, and leverage best practices.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.4/10


Overall Impact

$104,742


Average $ Saved

42


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Pitt County

Guided Implementation

10/10

$30,549

10

Uganda Revenue Authority

Guided Implementation

10/10

$12,999

105

Willingness to provide guidance and followup

Opal Packaging

Guided Implementation

10/10

N/A

20

Robert is very knowledgeable providing practical advice and guidance. The facilitation of the tabletop exercise was a beneficial exercise to comple... Read More

Pitt County

Guided Implementation

10/10

$18,849

10

Keeneland Association

Guided Implementation

10/10

$2,469

2

Frank presented the materials very professioinally and shared some content he'd done for a client to help us continue down the project path.

Dunn‐Edwards Corporation

Guided Implementation

10/10

$64,999

50

Working Petar, who brings a lot of knowledge, experience, and advise throughout the IR process. The tools provided were also fantastic, with very l... Read More

The Corporation of the City of Sault Ste. Marie

Workshop

10/10

$75,000

110

The entire process was excellent and very informative. There was NO worst part. Thanks

CPA Alberta

Guided Implementation

8/10

$10,000

5

Best was the general guidance and lessons learned from others on our incident response, structure of the table top exercise, and dealing with insur... Read More

California Department of Housing & Community Development

Workshop

10/10

$129K

115

Andy Riley was extremely knowledgeable and we learned a great deal from him. We were able to produce tangible results and deliverables which will h... Read More

County of Franklin

Guided Implementation

10/10

$2,599

20

Shastri is a great resource and was very helpful during the entire process. I have no complaints.

Kappa Delta Sorority

Guided Implementation

10/10

$12,999

60

Working with Shastri was the best part of my experience. The knowledge and the willingness to help me prepare a plan that meets our internal team w... Read More

Charlotte County Clerk of the Circuit Court and County Comptroller

Workshop

10/10

N/A

110

We only have the best to say about our experience with Info-Tech and Frank Sargent on our workshop. Frank was engaging and walked us through all a... Read More

Osage Casinos

Guided Implementation

10/10

$14,949

20

Fritz Jean-Louis was amazing and really helped to guide me through the difficult process of developing and implementing a security incident managem... Read More

RJRGLEANER Communications Group

Guided Implementation

9/10

N/A

26

Best - Dr. Michel was knowledgeable, flexible and willing to work with us during the guided implementation. He provided many scenarios and additio... Read More

Asian Development Bank

Guided Implementation

9/10

N/A

N/A

Advice was very clear and Dang was found to be very informative and advanced on the subject.

The Corporation of the City of Timmins

Guided Implementation

10/10

$10,000

20

Shastri was a great coach and mentor during the project - he has a lot of real world experience and helpful guidance. Worst part was the sheer am... Read More

Government of Bermuda

Workshop

8/10

$389K

110

Best - SANDY and FRANK!!!; getting everyone together; understanding how things are currently done and/or will be done; identifying how our work wil... Read More

New-Indy Containerboard, LLC

Guided Implementation

10/10

$2,469

9

Noramco, LLC

Guided Implementation

10/10

$59,849

10

The advisor is so well knowledgeable and versed in the topic and i truly appreciate that. I don't have any neg thing to say.

Pekin Insurance

Workshop

9/10

$61,749

20

Sandy Silk did a great job of conducting the workshop. She was organized and customized the workshop in ways that most help our incident response ... Read More

4Wall Entertainment

Workshop

10/10

$18,269

5

Sandy was an excellent facilitator and did a great job getting the team to open up and discuss the topics at hand. She also has a ton of experience... Read More

County Of Kenosha

Workshop

8/10

$12,999

20

The tabletop exercise was very valuable to illustrate the importance of a structured response.

ENERGYUNITED ELECTRIC MEMBERSHIP CORPORATION

Workshop

10/10

$1.3M

120

The best part of our experience was in the second table-top exercise that included representation from key business stakeholders. This exercise was... Read More

Healthcare Excellence Canada

Guided Implementation

8/10

N/A

5

no worst parts; getting a second perspective is always helpful.

Corix Infrastructure Inc.

Guided Implementation

10/10

$37,500

20

It was a great experience and a great way to assist Corix in accomplishing a goal amidst a number of competing initiatives. Thank you Logan for al... Read More

Afreximbank

Guided Implementation

8/10

$23,500

110

Overall a very good experience

Jet Support Services, Inc.

Workshop

10/10

$12,599

20

Logan and Kevin were great to work with

The Regional Municipality Of Niagara

Workshop

7/10

N/A

50

There was a lot of attention for me to drive the engagement, as well the consultant's that were assigned to us did not engage the group at times, s... Read More

Saskatchewan Blue Cross

Guided Implementation

8/10

N/A

5

The resources provided are quite useful.

Hyperloop Technologies, Inc.

Workshop

10/10

$37,199

20

I don't believe there were an worst parts, however, it's been almost 2 months since the engagement so I don't really remember. Overall I felt it w... Read More


Workshop: Develop and Implement a Security Incident Management Program

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Prepare Your Incident Response Program

The Purpose

  • Understand the purpose of incident response.
  • Formalize the program.
  • Identify key players and escalation points.

Key Benefits Achieved

  • Common understanding of the importance of incident response.
  • Various business units becoming aware of their roles in the incident management program.
  • Formalized documentation.

Activities

Outputs

1.1

Assess the current process, obligations, scope, and boundaries of the incident management program.

  • Understanding of the incident landscape
1.2

Identify key players for the response team and for escalation points.

  • An identified incident response team
1.3

Formalize documentation.

  • A security incident management charter
  • A security incident management policy
1.4

Prioritize incidents requiring preparation.

  • A list of top-priority incidents
  • A general security incident management plan
  • A security incident response RACI chart

Module 2: Develop Incident-Specific Runbooks

The Purpose

  • Document the clear response procedures for top-priority incidents.

Key Benefits Achieved

  • As incidents occur, clear response procedures are documented for efficient and effective recovery.

Activities

Outputs

2.1

For each top-priority incident, document the workflow from detection through analysis, containment, eradication, recovery, and post-incident analysis.

  • Up to five incident-specific runbooks

Module 3: Maintain and Optimize the Program

The Purpose

  • Ensure the response procedures are realistic and effective.
  • Identify key metrics to measure the success of the program.

Key Benefits Achieved

  • Real-time run-through of security incidents to ensure roles and responsibilities are known.
  • Understanding of how to measure the success of the program.

Activities

Outputs

3.1

Limited scope tabletop exercise.

  • Completed tabletop exercise
3.2

Discuss key metrics.

  • Key success metrics identified

Develop and Implement a Security Incident Management Program

Develop and Implement a Security Incident Management Program

Create a scalable incident response program without breaking the bank.

EXECUTIVE BRIEF

Analyst Perspective

In today’s digital landscape, security incidents are an unavoidable reality for organizations, regardless of their size or industry. From data breaches and ransomware attacks to insider threats and phishing scams, the range of security incidents keeps growing. This demands a proactive and robust approach to security incidents.

It has been found that organizations with well-formalized incident response plans experience, on average, 55% lower costs and are 50% faster in containing incidents (IBM, 2020). When faced with a security incident, organizations cannot afford to waste time deliberating how to respond and must have designated roles and responsibilities so that everyone can act decisively.

As well, organizations need to track and measure key performance indicators (KPIs) such as response time, success rate, and recovery time regularly. Tracking these KPIs can provide valuable insights for continuous improvement and fine-tune response strategies.

Ultimately, a proactive security incident management approach empowers organizations to navigate security incidents with confidence and mitigate potential consequences swiftly when an incident occurs.

Photo of Nitin Mukesh, Senior Research Analyst, Info-Tech Research Group.

Nitin Mukesh
Senior Research Analyst
Info-Tech Research Group

Executive Summary

Your Challenge

  • Security incidents are inevitable, but how they’re dealt with can make or break an organization. A poor incident response negatively affects business practices, including workflow, revenue generation, and public image.
  • The incident response of most organizations is ad hoc, at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and an inefficient allocation of resources.

Common Obstacle

  • Tracked incidents are often classified using ready-made responses that are not necessarily applicable to an organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
  • As well, outcomes of incident-response tactics may not be formally tracked or communicated, resulting in the lack of a comprehensive understanding of trends and patterns regarding incidents. This may lead to an organization being revictimized by the same vector.
  • However, even having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

Info-Tech’s Approach

  • Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
  • This blueprint will walk you through the steps of developing a scalable and systematic incident response program that is relevant to your organization.

Info-Tech Insight

Embrace the use of ready-made responses when handling incidents. These pre-established response plans can save valuable time and effort during a crisis. By relying on proven and tested procedures, your team can respond swiftly and efficiently, minimizing the impact of incidents and ensuring a consistent approach to resolving security breaches.

Challenges of inadequate security incident management

Lack of preparedness: A security incident management program helps to prepare your organization for potential security incidents by establishing clear roles, responsibilities, and procedures. Without such a program, your team may be ill-prepared to handle incidents, resulting in confusion, chaos, and a higher likelihood of errors or mistakes during the response.

Incomplete incident documentation: It is important to ensure that incidents are properly documented and there are measures for dealing with and resolving them. Without an incident management system, your organization may not have the structures to report and document incidents, which could impede root-cause identification, post-incident analysis, and the ability to learn from previous incidents in order to enhance future security measures.

Regulatory noncompliance: Some industries have specific regulations and legal requirements for incident management, data protection, and breach notification. Without an updated plan that reflects these regulations and requirements, your organization may fail to meet compilatory needs, which could lead to regulatory consequences, financial sanctions, or even a bad reputation.

Horizontal bar chart titled 'Average cost of a data breach by industry' with 'Healthcare' by far the highest.

207 days – Mean time to identify a data breach

70 days – Mean time to contain a data breach

(Source: “Cost of a Data Breach Report 2022,” IBM, 2022)

Defining security incident management

  1. IT Incident

    An IT incident is any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of this service.
  2. Security Event

    A security event is any event or occurrence that could potentially have information security implications.
    • For example, a spam email is a security event because it may contain links to malware.
    • Organizations may be hit with thousands, or perhaps millions, of identifiable security events each day.
    • These security events are typically handled by automated tools or simply logged.
  3. Security Incident

    A security incident is a security event that results in damage, such as lost data.
    • A security incident can also be a security event that does not involve damage but is a viable risk.
    • For example, an employee clicking on a link in a spam email that made it through filters may be viewed as a security incident.

It’s not a matter of if you will have a security incident, but when

The increasing complexity and prevalence of threats have finally caught the attention of corporate leaders. Prepare for the inevitable with an incident response program.

  1. The average breach cost savings at organizations with an incident response (IR) team that tested an IR plan is US$2.66 million.
  2. US organizations lost an average of US$9.44 million per data breach as a result of increased customer attrition and diminished goodwill. The Middle East and Canada follow at US$7.46 and US$5.64 million, respectively.
  3. 83% of organizations have experienced multiple data breaches, with 60% of them having to increase the price of their services or products because of a data breach.
  4. 45% of breaches happened in the cloud, where organizations with a hybrid cloud model had shorter breach lifecycles than those with a private or public cloud model.
  5. The average cost of a data breach is greater by US$1 million if remote work was a factor.
  6. (Source: “Cost of a Data Breach Report 2022,” IBM, 2022)

This research is designed for a chief information security officer (CISO) who is dealing with:

  • Inefficient use of time and money when retroactively responding to incidents that negatively affect business revenue and workflow.
  • Resistance from management to adequately develop a formal incident response plan.
  • Lack of closure of incidents, resulting in being revictimized by the same vector.

This research will also assist business stakeholders who are responsible for:

  • Improving workflow and managing operations in the event of a security incident to reduce any adverse business impacts.
  • Ensuring that incident response compliance requirements are being adhered to.

Benefits of an incident management program

Effective incident management will help you …

  • Improve efficacy.
    Develop structured processes to increase process consistency across the incident response team and the program as a whole. Expose operational weak points, and transition teams from firefighting to innovating.
  • Improve threat detection, prevention, analysis, and response.
    Enhance your pressure posture through a structured and intelligence-driven incident handling and remediation framework.
  • Improve visibility and information sharing.
    Promote both internal and external information sharing to enable good decision making.
  • Create and clarify accountability and responsibility.
    Establish a clear level of accountability throughout the incident response program and ensure role responsibility for all tasks and processes involved in service delivery.
  • Control security costs.
    Establish effective incident management operations to provide visibility into your remediation processes, enabling cost savings from misdiagnosed issues and incident reduction.
  • Identify opportunities for continuous improvement.
    Increase visibility into current performance levels and accurately identify opportunities for continuous improvement with a holistic measurement program.

Short-Term Impact

  • Streamlined security incident management program
  • Formalized and structured response process
  • Comprehensive list of operational gaps and initiatives
  • Detailed response runbooks that predefine necessary operational protocol
  • Compliance and audit adherence

Long-Term Impact

  • Reduced incident costs and remediation time
  • Increased operational collaboration between prevention, detection, analysis, and response efforts
  • Enhanced security pressure posture
  • Improved communication with executives about relevant security risks to the business
  • Preserved reputation and brand equity

Develop and Implement a Security Incident Management Program

Create a scalable incident response program without breaking the bank.

Create and follow a pre-established workflow for every security incident encountered

Predefined workflows for each stage

  1. Detection Constantly monitor until signs of an incident are detected
  2. Analysis Leverage data to analyze the incident
  3. Containment Contain the incident and affected system
  4. Eradication Eliminate malignant components of the incident
  5. Recovery Restore and monitor the affected systems
  6. Post-Incident Activities Collaborate with stakeholders to review the incident's cause, effect, and remediation

Embrace ready-made incident responses to save time and respond swiftly during crises. Relying on proven procedures minimizes impact and ensures consistency in resolving security breaches.

Problem

  • Your organization lacks a formal and structured incident management plan or relies on one that is outdated.
  • There is a reactive approach to incidents on a case-by-case basis in the absence of a standardized processes.
  • The inefficient incident responses and resource allocation due to ad hoc handling of incidents result in negative impacts on critical business practices.

Challenges

  • Inadequacies in incident documentation hinder post-incident analysis and learning, while the lack of a structured incident Management System impedes future security measures.
  • Non-compliance risks from failure to meet data protection and breach notification requirements exposes organizations to legal and financial consequences.
  • Without a security incident management program, organizations lack preparedness, clear roles, and procedures, leading to confusion and errors during incident handling.

Benefits

Control security costs

Effective incident management operations will provide visibility into your remediation processes, enabling cost savings from the reduction in misdiagnosed issues and incidents.

Improve efficacy

Develop structured processes to increase process consistency across the incident response team and the program as a whole. Expose operational weak points and transition teams from firefighting to innovating.

Impacts

Short term

  • Detailed response runbooks that predefine necessary operational protocol
  • Compliance and audit adherence

Long term

  • Reduced incident costs and remediation time
  • Enhanced security pressure posture
Malware | Malicious Email | Ransomware | Data Breach | Credential Compromise | Third-Party Incident | DDoS Attack

Maintain a holistic security operations program

Four overlapping circles with the title 'Next-Gen Security Options' in the middle; the circles are labelled 'Prevent', 'Detect', 'Analyze', 'Respond'.

Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (among other tactics) are essential.

Detect: There are two types of companies: those that have been breached and know it, and those that have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.

Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.

Respond: Organizations cannot rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

Create a scalable incident response program without breaking the bank.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.4/10
Overall Impact

$104,742
Average $ Saved

42
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 6 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Prepare
  • Call 1: Understand the incident response process, and define your security obligations, scope, and boundaries.
  • Call 2: Formalize the incident management charter, RACI, and incident management policy.

Guided Implementation 2: Operate
  • Call 1: Prioritize and develop top-priority runbooks.
  • Call 2: Develop templates to analyze root cause and report security incidents.

Guided Implementation 3: Maintain and optimize
  • Call 1: Develop and facilitate tabletop exercises.
  • Call 2: Create an incident management metrics program and assess the success of the incident management program.

Author

Nitin Mukesh

Contributors

  • Dave Millier, CEO, Uzado Inc.
  • Mahmood Sher-Jan, EVP & General Manager, RADAR Product Unit
  • Matt Anthony, VP, Security Remediation Services, The Herjavec Group
  • Jason Bareiszis, CSIRT Manager & Principal Security Architect, Tetra Tech
  • Malcolm Brown, Industry Analyst Relations, Trend Micro
  • Mark Bernard, CISO, Government, Financial Services, Manufacturing, Pharma, Legal
  • Wayne Chung, Senior Consultant, Information Assurance, Eosensa
  • Ali Shahidi, Chief Cyber Security & Computer Forensics, InfoTransec Inc.
  • Ian Parker, Head of Corporate System Information Security, Risk, and Compliance, Fujitsu Services
  • Joey LaCour, CISO, Colonial Savings, F.A.
  • Ron Kirkland, Manager ICT Security, Crawford and Company
  • Vincent di Giambattista, Director IT Security and Compliance, Alliance Healthcare Ltd.
  • Five anonymous contributors
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019