The Big Picture of the Security Incident Cycle

The security incident cycle consists of 4 major interrelated phases: Plan, Resist, Detect and Respond. Organizations that struggle with security incidents often do so because they focus too much on one of the phrases, ignoring the rest.

I discussed the big picture of the security incident cycle at the SANS Forensics Blog, building upon the presentation I heard from Richard Bejtlich. I also outlined common failures related to the cycle: Pussyfoot Planning, Resolute Resistance, Dramatic Detection and Ravenous Response.

In addition to failing to devote proper attention to each phase of the security incident cycle, organizations often fail at knowing when and how to transition from one phase to another when dealing with an incident. The challenge is in part due to the differences in technologies and skill sets used in each phase, as well as in the different reporting structure of teams that need to collaborate when navigating the cycle.


About the Author

I design security solutions and shepherd them to a sustainable state. I used to be hands-on in many areas of cybersecurity and IT. Now I focus on strategy and leadership, treating security as an enabler that helps people and companies achieve their goals. As the CISO of Axonius, I lead the security program to earn customers' trust and fuel the company's growth. Earlier, I built security products and services. I'm also a Faculty Fellow at SANS Institute, where I help professionals develop malware analysis skills.

Learn more