Does your IR plan lead you in every direction but the right one?

Stop what you are doing. Pull out your written Incident Response plan (if you have one at all). Now, think about this. When is the last time it was physically touched? Is it actually, literally, dusty? Does the date on it read one year ago? Two years? Three years or more?

Next, try to remember why you wrote this IR plan. Was it to have a checkbox checked for compliance? Did you even write it yourself? Did you, gasp, inherit this plan from someone else?

Now which one is the IR plan again?

Your Incident Response plan should be a living, breathing document, updated as your network, staff, and company change. How effective is a document that has outdated device info, staff names, contact information, etc.? Do you realize that your IT team isn’t the only team involved in a proper response? Consider that IT, Legal, HR, Marketing, Executive, the Board of Directors, and more have their own specific role in a true breach.

The new threat landscape

One thing that all mature InfoSec practices now realize is that it’s not if but when their organization will be breached. Preparation is the key to be able to minimize the damage from the attack or attempted attack.

Defense in layers has been preached for years, and while still important, resilience has to be taken into consideration. Defense and alerting allows you to find the threat quickly, but resilience is how you recover and not miss a beat.

Compliance is important, but should be an afterthought when proper security is followed. As long as you employ the right measures for security, its strength can check the compliance boxes for you.

Incident Response is about more than a plan

Consider that Incident Response plans are less valuable without the proper data to investigate.

An organization must store forensic quality, raw logs to be able to dig back in the past. In addition, there are tools available that help by continuously recording 100% of all activity and visualizing the complete attack kill chain empowering real-time response and remediation.

Ryan Duckworth is a Regional Sales Manager for CIPHER with 5+ years of industry experience, and has helped hundreds of companies reform their IR plan and prepare for the worst. Contact him at and he can help update your existing plan to be effective for 2017.