5 Strategic Concepts to Keep in Mind during Your Next Incident

Posted on by Dave Martin

Managing a cross-functional team through a security incident can be a lot of things—challenging, tiring, frustrating—but it doesn’t have to all be negative. By prioritizing the right things and making a few key leadership decisions, you can help engage your team, set your organization up for success and turn the incident into a positive experience.  

Below are 5 strategic concepts to keep in mind next time your organization is working through an incident:

Balance – There will be some employees on your team who are working around the clock to manage the incident and others who may see their function slow down or go away entirely, depending on the issue. You must know which skills are complementary and how you can move people around so they can help in the fight toward the immediate mission. Encourage your team to be flexible and make quick adjustments to reassign responsibilities.  

Normalcy – It is critical to remember that someone must always “keep the lights on.” Regardless of the type of incident or crisis, there will still be regular, day-to-day work and tasks that need to get done to protect the organization. Ensure that you have regular communication with the teams that are maintaining normal operations and confirm that they have what they need to keep doing their jobs effectively. Also—and this may be a bit unexpected—keep those groups that are working on other critical operations updated on what is happening in the incident as much as possible. You don’t want them to feel that their function is less important or not needed just because the immediate focus is on the incident.

Maintain Movement – Keep the momentum going. If you drop your large projects and priorities every time there is an incident, you’ll never get anything accomplished. If you don’t, when the event is over, you’ll find that your budget is a mess, your projects are stalled and your employees are leaving. It is critical to maintain and attend to your regularly scheduled meetings as much as possible, engage your team members and shift responsibilities to ensure focus on the most important projects.

Take Notes Along the Way – If you wait until the end of the incident to reflect on what you could do better next time, most of your feedback will be from recent activities. It is crucial to identify opportunities for improvement throughout the cycle and document them. Depending on the length of the incident, I suggest regular meetings to discuss what went well, what didn’t and what you would do differently next time. Assign a team member to keep a running list of everything that is discussed. This way, when the event is over, you’ll have all the feedback from the entire incident.

Recognize the Phases – In order to properly do all of the above, you must recognize the various phases that all incidents cycle through. From detection, to response, to recovery and conclusion, you will have to knowingly shift gears along the way. At the outset of the incident, take a step back to think about the signs that will tell you when the phase is changing and what you will do to adjust. Actively look for those signs as the incident progresses and make decisions to reflect the priorities of the phase that you are in.

Every incident is different and requires different decisions, actions and priorities. However, for any of the above to be successful, it is critical to have regular and transparent communication with all your stakeholders. This includes your employees, leadership, customers, investors, board members and industry groups. Successful communication means that you are clear and honest, and provide the audience with the right information, at the right time, in a manner that they can understand.

Dave Martin

Corporate Vice President and Global Chief Security Officer, ADP

Hackers & Threats Analytics Intelligence & Response

hackers & threats incident response

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs