Cyber threats come in many forms and may severely impact business operations, brand reputation, financial standing, or lead to a lawsuit. Organizations must prepare to respond to cyber events at different organizational levels to limit their damage and accelerate recovery.
Incident management and crisis management plans focus on different aspects of response and have unique sets of objectives. This article explains what incident management is and how it differs from crisis management.
Understanding Fundamental Terms
According to NIST, an incident is an adverse security event that negatively impacts or poses an imminent threat to the confidentiality, integrity, or availability of data, including the technologies that store and process that data. This definition also includes explicit or implied security policy violations.
Not all incidents are equal. The first step after detecting an incident is to classify it. This process involves assigning a severity level and incident category. Appropriate classification drives resource allocation and helps identify the necessary stakeholders to provide expertise and guidance in their functional areas during incident response.
A common approach to delineate incident severity is a measurement of the impact an incident has on the confidentiality, integrity, and availability of data and information technology systems. For example, enterprises can assign the following impact levels to incidents based on their severity: minor incident, major incident, and crisis, also known as a critical incident.
Incidents that insignificantly affect organizations are defined as minor incidents. Enterprises typically qualify incidents as minor when they do not cause a notable operational or informational impact on their business. These usually can be handled as part of day-to-day operations. For example, commodity malware that infects an end-user workstation typically qualifies as a minor incident.
A cyber event becomes a major incident when it causes a functional or informational impact on the organization and requires an urgent response beyond day-to-day operations. An informational impact occurs when a cyberattack negatively affects the confidentiality or integrity of data. In contrast, a functional impact occurs when a cyberattack impairs a computer system's functionality, causing a negative effect on business operations.
Major incidents require the activation of a Cyber Security Incident Response Team (CSIRT) or another similar cross-functional team responsible for coordinating and supporting the incident response effort. Moreover, organizations should designate an incident manager to coordinate the incident response effort between stakeholders and manage the different facets of major incident response. For example, when a threat actor exploits a vulnerability in a web application, which processes payment card data, the event becomes a major incident because it threatens the confidentiality of the data and requires an immediate and coordinated response.
A crisis is an event that significantly affects business operations, brand reputation, financial standing, or even threatens the very existence of an enterprise. For example, if ransomware encrypts systems that support core business functions, and the affected enterprise has no alternative arrangements to continue business operations, the event becomes a crisis.
There are no one-size-fits-all criteria for declaring a crisis. Organizations must define the parameters of a crisis in their business context and determine what stakeholders have the authority to declare a crisis in their organizations.
Incident management is an action-oriented process that focuses on managing the lifecycle of an incident from a tactical perspective. Enterprises usually create an incident management process as part of a broader incident response plan (IRP) to address and recover from incidents. Tactical response refers to short-term and concrete steps necessary to investigate and remediate incidents.
An incident management process includes the following components to facilitate structured and coordinated incident response:
Activities: actions that stakeholders participating in the process execute to achieve specific outcomes. Activities are often arranged in a workflow with decision points.
Procedures: outline how to carry out specific tasks within the process.
Work instructions: describe how to perform specific tasks within a procedure. Work instructions are often an optional element.
Roles: assign owners to specific process activities and define their responsibilities.
Moreover, ITIL prescribes that organizations should also establish process controls to ensure that the process produces consistent and repeatable outcomes according to its objectives. Process controls include policy, objectives, owner, custodian, documentation, and feedback.
Finally, organizations must dedicate the necessary resources to support the process and build specific capabilities to address incidents effectively. Examples of resources include personnel, technologies, or threat intelligence to aid investigations. In contrast, capabilities refer to the ability to leverage those resources to address incidents, such as analyzing forensic data to determine the root cause of an incident.
It is important to emphasize that incident management is a cross-functional process that brings together stakeholders representing cybersecurity, corporate, business, and technology functions to handle all the facets of an incident adequately.
For example, a threat actor gains unauthorized access to a system that handles highly-sensitive data. In this scenario, forensic analysts focus on a detailed technical investigation to determine how the threat actor interacted with the system and establish the scope of the incident. At the same time, the company’s legal counsel may evaluate the outcome of the analysis to determine if the organization should notify any outside parties according to applicable laws and regulations.
Organizations primarily leverage an incident management process to handle minor and major incidents. Because of their limited impact, organizations handle minor incidents as of day-to-day security operations. In contrast, a major incident requires the activation of a CSIRT and a dedicated incident manager. The incident manager coordinates various response activities among the stakeholders that participate in the process.
In some cases, organizations may also need to assign an incident commander, also known as an incident officer, to provide a strategic direction and set response priorities from a business perspective. For example, when an organization experiences a Distributed Denial of Service (DDoS) attack that impacts a core business function, a senior level manager may assume the role of an incident commander and provide regular updates to senior management on the status of the response.
Handling a crisis through an incident management process alone is insufficient. Incident management focuses on managing cyber events from a tactical perspective, whereas crisis management requires a strategic approach and must be an integral part of the overall business continuity plan (BCP).
To address a crisis event effectively, organizations must create a crisis management plan to address the strategic decision-making and communication components of a BCP. A sound crisis management plan includes the following elements:
Crisis management team: a cross-functional team comprised of senior leaders responsible for assessing an impact and setting priorities for crisis response.
Command center: a centralized space to control and monitor crisis response. A command center can be a physical facility or a virtual space.
Crisis communications: a set of guidelines and protocols to facilitate communications with internal stakeholders and external entities.
Roles and responsibilities: the roles that specific members of the crisis team assume and their responsibilities pertaining to crisis management.
Escalation process: a set of criteria and protocols that lower-level management can leverage to determine when and how to escalate an incident as a potential crisis.
Legal and regulatory obligations: documented legal obligations and any legal protocols that organizations may wish to invoke during crisis response.
Logistics: the necessary logistical support to facilitate crisis response.
Cyberattacks may negatively impact tangible assets, such as the availability of a computing environment, and intangible assets such as brand reputation and trustworthiness. For example, a data breach can lead to civil litigation and brand damage. Consequently, a crisis management plan emphasizes assessing the risk associated with significant cyber events, protecting brand reputation, and ensuring operational resiliency.
Where Incident Management Meets Crisis Management
Incident management and crisis management are not mutually exclusive. Crisis management is a natural extension of incident management. During a crisis event, these two processes run in parallel with downstream and upstream communication between them. While incident management is concerned with the tactical response, crisis management focuses on the overall business continuity and crisis communications. Figure 1 depicts the relationship between these two processes.
Communication is a significant part of both processes. Incident management communication focuses on coordinating response activities among all the involved stakeholders and ensures that everyone is aware of their roles and responsibilities. On the other hand, crisis communication focuses on messaging with internal and external stakeholders and overall brand reputation management.
You can find out more about building incident response capabilities in the book Cyber Breach Response That Actually Works: Organizational Approach to Managing Residual Risk. The book is available for purchase on Amazon and other major retail stores.
I originally co-authored this article with Matthew Sullivan on LinkedIn on July 21, 2020.