The Critical Role of the Security Incident Response Coordinator

Security incident response (IR) teams consist of people from diverse professions, including system administrators, infosec experts, forensic analysis, lawyers, PR specialists. Among the stress that’s often part of the IR process is the incident response coordinator, who acts as the linchpin to bring together the IR team’s efforts.

The IR coordinator typically handles the following tasks when the organization responds to a security incident:

  • Track the progress of the IR process during the security incident.
  • Coordinate the actions of other IR team members, disseminating information as necessary, preventing people from stepping on each others’ toes.
  • Provide status updates to relevant parties who are not members of the IR team.
  • Provide expertise where necessary by either offering guidance from personal knowledge and experience or by channeling such information from the subject matter expert.

The IR coordinator’s overall responsibility is to make sure the IR response process is moving forward.

Even if you do nothing else to prepare for responding to security incidents, consider who in your organization or group can act as the IR coordinator. The perfect candidate for the role will have the following attributes:

  • Knows information technology: The IR coordinator doesn’t have to have hands-on technical skills, but it helps. The person needs to be able to speak the language of the technologists “on the ground” who are interacting with the affected systems, network devices and applications.
  • Has strong communication skills: The IR coordinator will often act as the communication hub, using email, phone and in-person interactions to share incident-related information and to coordinate other team members’ activities.
  • Understands the affected environment: The IR coordinator should know the key components of the IT infrastructure and applications involved in the incident. The person should also know the role that these components play in the organization’s business.
  • Can learn quickly and improvise where necessary: The IR coordinator is unlikely to have the full knowledge of the affected environment, its technologies, people or business processes. The person needs to be able to pick up relevant details quickly and, when necessary, think on his feet.

The IR response coordinator should also formally trained in incident response and have experience with at least some aspects of the IR process. Smaller organizations have a hard time having trained IR specialists on staff, in which case they either contract with third-party to provide such personnel when the need arises, or designate the best-fit person from the internal staff when an incident occurs.

If you find yourself in the middle of a security incident and don’t know what to do, you may benefit from my IR cheat sheets and the presentation How to Respond to an Unexpected Security Incident. If you’re being proactive about IR, see my Tips for Starting a Security Incident Response Program.

Related:

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more