How effectively an enterprise handles a cybersecurity incident has a significant effect on how much damage occurs and how quickly the business can recover.
Organizations need both incident management and incident response strategies. Although the two terms overlap -- and many security pros use them interchangeably -- they are technically distinct.
What is incident management?
Incident management refers to an organization's wider strategic handling of an incident. It requires the coordinated oversight of a leadership group, which usually includes representatives from teams such as the executive board, IT, legal, communications and HR.
The following are some responsibilities an incident management group typically handles:
- proactively preparing incident management plans before an incident occurs;
- overseeing technical response efforts during an active incident;
- calling on third-party help as required;
- deciding when and how to communicate incident details and the organization's response with staff, clients, regulators and the media; and
- following up after the incident's resolution to evaluate how it should inform future incident management strategies.
What is incident response?
In its strictest definition, incident response is the technical part of the overarching incident management process. Imagine an organization is the victim of a ransomware attack. The incident response would include the following activities:
- initial identification of the incident, perhaps through a SIEM or security orchestration, automation and response tool;
- an alert from a staff member or a third-party security operations center;
- containment of the ransomware, if the identification was sufficiently timely;
- attempts to eradicate the infection from the network; and
- data restoration from backups.
The typical incident response team is made up mostly of internal security and IT professionals, perhaps with support from third-party security providers.
Differences between incident management and incident response
Incident response is tactical and focused, while incident management is strategic and broad.
Because incident response is essentially a subset of incident management, one can't succeed without the other. The overarching incident management strategy heavily influences technical incident response processes. And, incident response directly affects how likely the business is to lose sensitive data to theft or encryption, making it a critical part of incident management.
Incident response has significant immediate effects, as it determines how quickly and effectively an organization can recover from an attack or other security incident.
Incident management tends to have greater long-term business effects, as it encompasses communication with key stakeholders. If an organization does not have an effective incident management strategy for dealing with an attack, then it is far more likely to gain negative attention from staff, clients, the media, regulators and the general public -- causing long-term reputational damage to the brand. For this reason, having an incident response plan that includes incident management details is key.
It is also imperative to rehearse incident management and incident response processes using realistic tabletop exercise scenarios. It's surprising how often organizations believe their response plans to be effective, until testing reveals simple mistakes -- such as storing the response plan on the same network hackers have encrypted, making it inaccessible.