The Big Picture of the Security Incident Cycle

The security incident cycle consists of 4 major interrelated phases: Plan, Resist, Detect and Respond. Organizations that struggle with security incidents often do so because they focus too much on one of the phrases, ignoring the rest.

I discussed the big picture of the security incident cycle at the SANS Forensics Blog, building upon the presentation I heard from Richard Bejtlich. I also outlined common failures related to the cycle: Pussyfoot Planning, Resolute Resistance, Dramatic Detection and Ravenous Response.

In addition to failing to devote proper attention to each phase of the security incident cycle, organizations often fail at knowing when and how to transition from one phase to another when dealing with an incident. The challenge is in part due to the differences in technologies and skill sets used in each phase, as well as in the different reporting structure of teams that need to collaborate when navigating the cycle.

Updated September 30, 2010
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The variety of cybersecurity roles I've held, and the expertise I’ve accumulated allow me to create practical solutions that drive business growth.

Learn more