More about a career in Incident Response
Depending on your organisation and the scale of threats it faces, there may be several or many apparent incidents every day. You decide which of them needs handling. Once an incident response is in progress, you work to understand what's happening so you can minimise the damage and stop the attack. Then you analyse the causes and propose changes to stop the same kind of thing happening again.
Throughout all this you work closely with colleagues in the cyber security team, if you have any, and with colleagues in other departments such as IT. You do all this while remaining calm and ensuring that you communicate clearly and in a timely fashion with everyone who needs to know what is going on. Finally, you make sure every significant event and action is logged, so lessons can be learned and the response to the next incident is even more effective.
On quieter days, you may be draft or agree policies and procedures for handling incidents, or planning and carrying out exercises to test these.
In some roles, you may configure and maintain system and network monitoring software and hardware.
In this specialism, you protect the security of an organisation’s information systems and data, by following defined procedures to analyse and respond to cyber security breaches. You may also first detect the breaches and design and implement measures to prevent a recurrence.
In detail you might:
- respond to alerts from monitoring/detection systems within defined SLAs
- use configured tools and scripts to identify potential cyber security breaches
- following detailed procedures, analyse, respond to and/or escalate cyber security incidents
- analyse the source, nature and impact of breaches to support threat intelligence
- monitor security appliance health, performing basic troubleshooting of security devices and escalating severe problems to engineers
- contribute to the development of incident response capabilities, policies and procedures
- maintain logs of all actions taken
Some organisations may have only one or two dedicated incident response practitioners. Such organisation call on experts from other areas, including the IT operations team, to staff the incident response team if there is a high-level breach.
Other organisations may have practitioner and senior incident response roles.
An incident response practitioner:
- may carry out of all the tasks described under What are the typical tasks? under some degree of supervision
- is generally not expected to manage the response to the most severe incidents, even under supervision
An incident response lead may:
- carry out the same set of tasks, especially on severe incidents, but without supervision
- be responsible for drafting policies, training or managing colleagues
An incident responder might be:
- in a Security Operations Centre (a SOC)
- in a Computer Incident Response Team (a CIRT)
- the only person responsible for handling incidents in a small organisation
- remaining calm under pressure
- working methodically, following fairly complex defined procedures
- investigating complex problems and find solutions
- collaborating with other specialists, some in very different roles
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- interpreting the output of monitoring systems
- identifying, categorising and registering incidents
- gathering information to enable incident resolution and allocating incidents as appropriate
- analysing unexpected network or system events, assessing their impact, and devising and implementing actions to stop them
- managing the sharing of important information quickly and accurately
- contributing to incident management policies, and investigation procedures and processes
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
F2 - Incident Management, Incident Investigation and Response
- engages with the overall organisation Incident Management process to ensure that Information Security incidents are handled appropriately
- defines and implements processes and procedures for detecting and investigating Information Security incidents
- establishes and maintains a Computer Security Emergency Response Team or similar to deal with Information Security incidents
- working within the legal constraints imposed by the jurisdictions in which an organisation operates, carries out an investigation into a security incident using all relevant sources of information
- assesses the need for Forensic activity, and coordinates the activities of specialist Forensic personnel within the overall response activities, engaging with the relevant organisational processes to ensure that Forensic services are deployed appropriately
- provides a full Information Security investigation capability where third parties, managed service providers, etc. are involved; co-ordinates the response to an Information Security incident
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role or career in which you have developed the ability to be effective and action-orientated, while remaining calm and working collaboratively, may provide the foundation for a role in Incident Response.
Examples of roles and careers in which you may have acquired such attributes include:
- emergency medicine
- operational roles in police services
- operational and staff roles in the Armed Forces
- IT incident management
- business-critical incident management
- customer service/support
- adventure training
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in an Incident Response role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may need much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
If you're working in a role which as responsibility for the security of industrial control systems (ICSs) you'll also need:
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
The motivations, behaviours and methods used by attackers, including malware supply chains, attack vectors, and money transfers.
Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
The collection, analysis and reporting of digital evidence in support of incidents or criminal events.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
Security in the design, implementation and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness.
You might enter this specialism as an apprentice.
Alternatively, as a graduate entrant, you might have a degree in:
- computer science
- cyber security or information security
Or, you may move into this specialism from another IT role or another cyber security specialism:
From a role in Incident Response, you might move into:
- Vulnerability Management
- Security Testing
- Digital Forensics
- Cyber Threat Intelligence
- Cyber Security Governance & Risk Management
- Network Monitoring & Intrusion Detection
You might also take a more senior role in Incident Response, perhaps managing a Security Operations Centre (SOC) or a Cyber Incident Response Team (CIRT).
Typical Incident Response titles include:
- Cyber Incident Response Analyst
- Cyber Incident Responder
- Cyber Security Incident Responder
- Incident Response Analyst
- Incident Response Specialist
- Threat Intelligence Response Analyst
- SOC Analyst
- Cyber Intelligence Analyst
An incident response practitioner might earn between £40,000 and £65,000 a year. The median figure in February 2021 was £57,000.
An incident response lead might earn between £55,000 and £85,000. The median figure in February 2021 was £62,500.
The salary range is based on job vacancy advertisements published online in December 2020. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.