Incident Response is the preparation for, handling of and following up of cyber security incidents, to minimise the damage to an organisation and prevent recurrence.
Incident Response depends on the organisation and the scale of the threat it faces and there may be several or many apparent incidents every day which need handling. Once an incident response is in progress, they need to understand what is happening, so that damage is minimised, and the attack is stopped. Then Incident Response analyses the causes and proposes changes to stop the same kind of thing happening again.
Throughout this, Incident Response works closely with colleagues in the cyber security team, and with colleagues in other departments too. It is essential to remain calm, ensuring that there is clear communication in a timely fashion with everyone who needs to know what is going on. Finally, it is vital that every significant event and action is logged, so that lessons can be learnt and the response to the next incident is even more effective.
In some roles, Incident Response may configure and maintain system and network monitoring software and hardware. Quieter days may involve drafting or agreeing policies and procedures for handling incident or planning and carrying out exercises to test these.
Incident Response protects the security of an organisation’s information systems and data, by following defined procedures to analyse and respond to cyber security breaches. Incident Response may also first detect the breaches and design and implement measures to prevent a recurrence.
In detail you might:
For Incident Response roles, titles include:
An Incident Response role could earn between £40,000 and £65,000 a year. The median figure in February 2021 was £57,000.
A senior Incident Response role could earn between £55,000 and £85,000. The median figure in February 2021 was £62,500.
The salary range is based on job vacancy advertisements published online in December 2020. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Cyber Security Governance & Risk Management
Core knowledge – you will need a very good understanding of these areas
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
If you're working in a role which as responsibility for the security of industrial control systems (ICSs) you'll also need:
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
Related knowledge – you will need a solid understanding of these areas
Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
The motivations, behaviours and methods used by attackers, including malware supply chains, attack vectors, and money transfers.
Wider knowledge – these areas will help to provide context for your work
Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
The collection, analysis and reporting of digital evidence in support of incidents or criminal events.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
Security in the design, implementation and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness.
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
F2 - Incident Management, Incident Investigation and Response
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role or career which have developed the ability to be effective and action-orientated, while remaining calm and working collaboratively, may provide the foundation for a role in Incident Response.
Examples of roles and careers in which you may have acquired such attributes include:
From a role in Incident Response, you might move into:
You might also take a more senior role in Incident Response, perhaps managing a Security Operations Centre (SOC) or a Cyber Incident Response Team (CIRT).
Our qualifications framework is currently under development. Sign up to our newsletter here to be notified when this is published.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below: