Building a Cyber Security Incident Response Team

Oct 12th 2021

Building Incident Response Team

For organizations of all sizes, cyber attacks are not a matter of if, but when. Given that an organization is going to experience security incidents, attacks and even breaches, a cyber incident response team and plan is critical.

In a sophisticated threat landscape, what are the key considerations to building a successful cyber security function?

Taking Corporate Responsibility for Cyber Resilience

The following are key requirements for companies looking to build their own cyber security incident response team (CSIRT):

  • Ability to respond to incidents
  • Perform analysis tasks
  • Communicate effectively with all stakeholders
  • Capable problem solvers, adaptable to change, and efficient in day-to-day duties

However, it is not always easy to find skilled and qualified staff and therefore, CSIRTs may need to nurture and develop internal employees to progress into these roles.

Developing a Team – Types of People

A CSIRT team plays a critical role in upholding CSIRT mission and service. Both technical and personal skills are required. A wide range of personal skills are necessary because a major part of the incident handler’s daily activity will involve communicating with other stakeholders who may have various levels of understanding. Therefore, overall success of the CSIRT is reliant on daily interactions that, in turn, can strengthen the reputation of the team and the respect with which that team is held.

On the other hand, a team member who is a technical expert but has poor communication skills could be the downfall of a team.The team’s overall reputation is at risk if communications are poor, misinterpreted or handled incorrectly.

A well-planned incident response plan will result in positive post-incident results. Communication during incident response neither fails or succeeds; it is either effective or ineffective.

Assemble the Team – Traits of an Incident Responder

Incident responders will need to have a well-rounded skill set which include:

  • Willing to continuously learn
  • Persistence
  • Curious and Perceptive – wanting to understand how something works
  • Analytical
  • Instinctive
  • Can work under pressure
  • Attention to detail – listen, make notes, recreate processes
  • Think like a cyber criminal
  • Creative and Imaginative – very important in an ever-changing environment

The functions of a CSIRT serve a powerful reminder that we should harness shared interests in keeping cyberspace safe and lay a strong foundation for cooperative structures to evolve.


Look for individuals who are:

  • Knowledgeable of internal processes within the company from earlier experiences
  • Passionate about being part of a team tasked with defending business operations and preventing cyber attacks
  • Wanting to run through investigations of external cyber threats throughout the incident response (IR) cycle
  • Able to cross-reference data from various security controls and work with relevant teams and third parties to conduct analysis and reach accurate conclusions
  • Able to conduct internal investigations into insider threats whilst also collecting digital evidence that can support any necessary legal requirements.

Individuals inside the company, similar to a network co-op (student with a multi-work term agreement), can be used as a resource as these people are motivated and striving for success. They already know the processes and infrastructure and can be trained to be a level one incident responder.

Various core competencies are necessary. So, depending on the company infrastructure, choose a great server person, a great desktop person, a great network person from inside the company and form a cross-competent team. No team is perfect from the start, but having these internal expertises from the outset will reduce ramp up substantially.

Make the Program Yours

Problems change week to week so learning new techniques, picking up internal intel to see what counterparts are doing, see what’s happening, what’s changing. Constantly strive to improve and make the program yours – problems change weekly – and a program and people should be adaptable.


Kaizen: Adopting the practice of continuous improvement to improve security posture

In the early 80’s, the Japanese automobile industry  popularized the concept of ‘kaizen’, or continuous improvement, as a daily process of positive transformation. Kaizen refers to activities that continuously improve all functions within a company to reduce waste and to increase productivity and efficiency. To adopt this practice, all components of a business must work collaboratively


Enterprise security programs have often worked in silos with their approach and dedicated the majority of their resources towards prevention. As zero-day threats improve, preventative controls fail. Businesses should consider a kaizen approach to threat defense where each control can continuously feed and improve the others through integration, which can significantly improve an enterprise’s overall security posture.


VMRay supports incident response every step of the way. Detect and respond to critical security incidents within minutes to prevent the spread of threats and limit their impact.

Find out more: Incident Response with VMRay Analyzer: An Automated Army of Virtual Analysts

Clear filter
Sorry, there are no results found