Incident Response depends on the organisation and the scale of the threat it faces and there may be several or many apparent incidents every day which need handling. Once an incident response is in progress, they need to understand what is happening, so that damage is minimised, and the attack is stopped. Then Incident Response analyses the causes and proposes changes to stop the same kind of thing happening again. 

Throughout this, Incident Response works closely with colleagues in the cyber security team, and with colleagues in other departments too. It is essential to remain calm, ensuring that there is clear communication in a timely fashion with everyone who needs to know what is going on. Finally, it is vital that every significant event and action is logged, so that lessons can be learnt and the response to the next incident is even more effective.  

In some roles, Incident Response may configure and maintain system and network monitoring software and hardware. Quieter days may involve drafting or agreeing policies and procedures for handling incident or planning and carrying out exercises to test these.  

Incident Response protects the security of an organisation’s information systems and data, by following defined procedures to analyse and respond to cyber security breaches. Incident Response may also first detect the breaches and design and implement measures to prevent a recurrence. 

In detail you might: 

• respond to alerts from monitoring/detection systems within defined SLAs 
• use configured tools and scripts to identify potential cyber security breaches 
• following detailed procedures, analyse, respond to and/or escalate cyber security incidents 

• analyse the source, nature and impact of breaches to support threat intelligence 
• monitor security appliance health, performing basic troubleshooting of security devices and escalating severe problems to engineers 
• contribute to the development of incident response capabilities, policies and procedures 
• maintain logs of all actions taken 

Job Titles 

For Incident Response roles, titles include: 

• Cyber Incident Response Analyst 
• Cyber Incident Responder 
• Cyber Security Incident Responder 
• Incident Response Analyst 

• Incident Response Specialist 
• Threat Intelligence Response Analyst 
• SOC Analyst 
• Cyber Intelligence Analyst 

Salaries 

An Incident Response role could earn between £40,000 and £65,000 a year. The median figure in February 2021 was £57,000. 

A senior Incident Response role could earn between £55,000 and £85,000. The median figure in February 2021 was £62,500. 

The salary range is based on job vacancy advertisements published online in December 2020. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. 

Each of the 15 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Incident Response. 

Core knowledge – you will need a very good understanding of these areas 

Security Operations & Incident Management 

The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence. 

If you're working in a role which as responsibility for the security of industrial control systems (ICSs) you'll also need: 

Cyber-Physical Systems Security 

Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures. 

Related knowledge – you will need a solid understanding of these areas 

Related knowledge 

Malware & Attack Technologies 

Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches. 

Adversarial Behaviours 

The motivations, behaviours and methods used by attackers, including malware supply chains, attack vectors, and money transfers. 

Wider knowledge – these areas will help to provide context for your work 

Human Factors 

Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours. 

Forensics 

The collection, analysis and reporting of digital evidence in support of incidents or criminal events. 

Network Security 

Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security. 

Hardware Security 

Security in the design, implementation and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness. 

Skills 

Personal attributes 

• remaining calm under pressure 
• working methodically, following fairly complex defined procedures 
• investigating complex problems and finding solutions 

• collaborating with other specialists, some in very different roles 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills 

• interpreting the output of monitoring systems 
• identifying, categorising and registering incidents 

• gathering information to enable incident resolution and allocating incidents as appropriate 
• analysing unexpected network or system events, assessing their impact, and devising and implementing actions to stop them 
• managing the sharing of important information quickly and accurately 
• contributing to incident management policies, and investigation procedures and processes 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

F2 - Incident Management, Incident Investigation and Response 

Principles: 

• engages with the overall organisation Incident Management process to ensure that Information Security incidents are handled appropriately 
• defines and implements processes and procedures for detecting and investigating Information Security incidents 
• establishes and maintains a Computer Security Emergency Response Team or similar to deal with Information Security incidents 

• working within the legal constraints imposed by the jurisdictions in which an organisation operates, carries out an investigation into a security incident using all relevant sources of information 
• assesses the need for Forensic activity, and coordinates the activities of specialist Forensic personnel within the overall response activities, engaging with the relevant organisational processes to ensure that Forensic services are deployed appropriately 
• provides a full Information Security investigation capability where third parties, managed service providers, etc. are involved; co-ordinates the response to an Information Security incident 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Any role or career which have developed the ability to be effective and action-orientated, while remaining calm and working collaboratively, may provide the foundation for a role in Incident Response. 

Examples of roles and careers in which you may have acquired such attributes include: 

• emergency medicine 

• operational roles in police services 
• operational and staff roles in the Armed Forces 
• IT incident management 
• business-critical incident management 
• customer service/support 

• adventure training 

Linked Specialism 

• Digital Forensics 
• Cyber Threat Intelligence 
• Cyber Security Management 

• Network Monitoring and Intrusion Detection 
• Vulnerability Management 

Moving On 

From a role in Incident Response, you might move into: 

• Vulnerability Management 

• Security Testing 
• Digital Forensics 
• Cyber Threat Intelligence 
• Cyber Security Governance & Risk Management 
• Network Monitoring & Intrusion Detection 

You might also take a more senior role in Incident Response, perhaps managing a Security Operations Centre (SOC) or a Cyber Incident Response Team (CIRT). 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training 

Benn Morris, CEO for 3B Data Security, Adam D'Arcy, DFIR Lead for CyberClan and Sean McCormack, Operations Director for The Cyber Scheme talk more about what a typical day looks like in the Incident Response specialism.

If you are applying for a professional registration title, the Standard of Professional Competence and Commitment (SPCC) for Incident Response can be found here.