Last week I attended the Technology Association of Oregon Cybersecurity Series event, “Breach, Incident or Spill,” an interactive presentation featuring RADAR CEO Mahmood Sher-Jan. Among other best practices, Mahmood outlined how assembling an incident response team now – before an incident has occurred – is a crucial step to your internal process.
As Director of Product Management at RADAR, I have the opportunity to work directly with our customers, and am afforded a first-hand view of how organizations assemble incident response teams.
A common refrain across many organizations is the importance of pairing Security and Privacy roles, so that when regulated data is involved in an event, a cross-functional determination may be made as to whether that event might be a privacy incident, security incident, or data breach and require further investigation or remediation.
But what about other partners in incident response? Who else might you need to pull in internally or externally, in the case of a potential data breach?
These are not questions you want to answer during an event, when your team is stressed and time is of the essence. Assembling your incident response team before an incident ever occurs ensures that, when it counts, your team is ready, trained in their roles, and practiced thanks to regular breach preparedness drills.
When assembling your team, there are multiple roles to consider beyond a core team of IT, Privacy, and Security professionals:
Team Lead: This is the person who will oversee the team, drive the escalation of the incident, conveying messages to other members of the incident response team and potentially the executive sponsor, leadership team, or if necessary, board of directors.
Executive Sponsor: An individual in an executive-level leadership position who will help prioritize breach preparedness at the leadership level. This will be the role that may coordinate and report to the executive team and potentially the board to ensure everyone is kept up to date with the incident response process.
Internal or External General Counsel: Together with the privacy officer, this role may be helpful in validating the breach determination, and help scope out the legally required notifications to regulatory bodies, such as providing notification to individuals, media, law enforcement, government agencies, credit monitoring services, etc.
HR or Customer Success Teams: Depending on the nature of the incident and what information was divulged, customers or your own employees may need to be made aware of a data breach. HR is also an important partner in helping manage the consequences of an employee infraction which may have lead to a breach, or how to communicate internally if employee information has been divulged.
PR or Marketing: If an incident is revealed to be a data breach and of a certain size, your organization may be required to disclose the breach to the media or notify individuals. Public Relations or marketing departments will need to be brought in to identify notification and communication tactics, track media coverage, respond to negative press, etc. The messaging of an incident may require a collaboration between this team and general counsel, depending on what is required to be communicated.
When assigning the roles above, additionally consider who might be appropriate as part of a core team, or essential roles who will shepherd the incident discovery forward and be thick in the weeds of incident response, and who should be considered part of the extended team, or individuals whose roles will only be called on in a consultation capacity or for reporting. Maintaining a tight-knit core team will ensure small events and those incidents which do not require notification or further follow-up will be handled with minimal impact on workloads across departments - and so that, when it’s likely an actual breach has occurred, the team will recognize the severity of the incident and won’t suffer from incident fatigue.
Whether part of the core team or the extended team, it’s important that each role also has an identified primary and secondary contact for that function, as a back up.
We’ve developed a sample worksheet (PDF) to download and circulate with your team to identify core and extended team members and roles. When it comes to compliance, it takes many people across multiple departments working together. Identify your team now to stay one step ahead of your incident response.