The Essentials of Cybersecurity Incident Response

To help Xigent clients succeed in the event of a cyber-attack, Sean Mason, director of global incident response practice at Cisco, spoke at our 2019 Siouxland Cybersecurity Forum. He drew on his extensive experience to advise companies on developing a robust and reliable incident response plan. We’ll summarize his insights and actionable steps to creating a strong incident response strategy.


Incident Response Building Blocks

Subpage 1

The broad range of technology within an organization, especially banks, demands a commensurate incident response plan to maintain business data and operational integrity. Cybersecurity incident response requires significant technical proficiency and organizational resources to:

  • Respond to an emergency.
  • Establish policies and procedures.
  • Evaluate risk in an ever-changing threat landscape against a dynamic technology stack.
  • Train employees, contractors and vendors.

The best-prepared organizations approach incident response as a team. They do not rely solely on

high-level practitioners.


“Successful incident response requires more than mere technical competence. Good communication skills and protocols are critical.”


Best Practice in Cybersecurity Incident Response
Subpage 2

In his presentation, Mason gave attendees some tips and techniques for superior cybersecurity

incident response.


Preparing to communicate well may be the differentiator between success and failure. Organizations must know what to say and to whom. This demands the ability to quickly determine important details, such as relative severity and impact of the event, as well as the affected technical and operational components. Because most cybersecurity incidents do not take place in only a moment of time, organizations should also define the optimal schedule of communication, which Mason described as a rhythm of information flow, for managing the response.


Further, the organization must be able to manage what is said to outsiders, such as the press. None of this will be possible without advance preparation.


“Good communication restores confidence after an adverse security event.”


External communication should assure customers and vendors that the organization can manage the situation by containing the damage. Transparency is more conducive to trust and confidence than secrecy; customers are usually more comfortable when it is clear the organization understands what happened and is quickly remediating the problem. By contrast, any attempt to hide the matter or minimize its impact adds fuel to speculative fires. Transparency tends to remove drama and keep the news cycle short.


Mason’s principles for external communications after an incident:

  • Identify one executive-level person to handle both internal and external communications.
  • Provide a brief public update.
  • Communicate directly with customers.
  • Have canned “reactive statements” the social media team should use, including hashtags.
  • Monitor social media and supply informed responses via these channels.

Since the social media team is typically not connected to the incident response or IT team, the organization should instruct them on messaging to ensure they circulate clear, useful and

accurate information.


Involve the legal team early and understand how to communicate without breaching attorney-client privilege. Some legal teams would limit written communication from front-line and back-office staff,

for instance, which would require protocols to be in place prior to the incident.


A proactive connection with the organization’s insurer can also smooth out potential issues during a cybersecurity incident. Mason recommended that the policy be carefully studied. Many policies cover only emergency costs and may push organizations to respond in ways structured to reduce upfront financial costs but add burdensome downstream expenses. For example, a policy may require pre-approved security vendors, or it may require ransom payment.


“I don’t think we or anybody else really knows what they’re doing when writing cyber insurance.” – Warren Buffet, 2018


A proactive cybersecurity incident response program will embed rigorous testing into the organization. Mason suggests modern and engaging table-top exercises that involve key members of the organization, from the front office to the C-suite. Simulations are also highly effective tools for preparing for a cohesive and effective organizational response.


Cybersecurity Incident Response Is Not Trivial

Subpage 3

Banks that want to protect customers and shareholders from cyber threats must do more than maintain their defenses; they must prepare to respond to threats. Why? Because confidence is the bedrock of economic stability. Only a competent response to an IT security incident will instill communities with the confidence their investment activity demands.


Download our Network Security Guide for Midsized Banks to learn how to build a strong foundation of data security. To start preparing your organization’s cybersecurity incident response, request a meeting with an Xigent subject matter expert today. Find out how we help clients monitor and report system integrity and stay up to date with threat intelligence.