The Often Overlooked (But Essential) Role of IT in Incident Response

Over the last few weeks, we’ve talked about the all-important roles that legal teams play in transforming privacy incident response from chaos into best practice. We’ve also explored how privacy and security teams can collaborate effectively to protect your organization’s brand, profit, customers, and more. In this post, we’ll explore an often overlooked piece of the incident response puzzle: involving the information technology (IT) team.

While incident readiness isn’t always a top priority for today’s IT leaders, their teams do play a vital role in incident management. If you’re a member of a privacy or security team, chances are you’ll set your company up for success by working closely with your Chief Information Officer (CIO) or similar head of IT. A collaborative partnership streamlines incident management program planning, clarifies division of roles and responsibilities, and strongly positions all preparation and response activities.

Read on to understand IT’s role in addressing cybersecurity and privacy incidents and how to incorporate your IT team into your integrated incident response program.

Why do the CIO and IT team need to be involved in incident management?

It’s well known that the CIO’s role is evolving in the modern organization. What may be less understood is how much overlap exists between IT priorities and those of security and privacy professionals. Such overlap underscores why there are a number of reasons for involving CIOs and IT in incident management and response:

• Incident prevention. Whereas security and privacy teams care about data privacy and protection, the IT team cares about identifying any infrastructure and data vulnerabilities. CIOs are frequently responsible for the organization’s data and for devising best practices for incident prevention and remediation as part of their responsibilities for ensuring business continuity.
  
• Cross-functional, seamless incident response. Since the IT team supports the security and privacy teams’ efforts during incidents, including  mega breaches, malware, and ransomware attacks, all three teams are mutually concerned with defining specific, actionable incident response plans — as well as clear roles and responsibilities. For example, when and how does the IT team alert the privacy team about lost laptops? How do both teams handle misdirected emails? What role do automation technology and alerting systems play?
  
• Team productivity & profitability. Incident response can sideline any team’s regular duties for days or even weeks, so IT, privacy, and security teams are similarly motivated to develop proactive systems to protect department productivity and the overall business’ bottom line.
  
• Tools & technology. Increasingly, automation plays a role in all of the above and more. As such, the IT team is usually responsible for the purchase of technology to support other teams, including what’s needed for incident management and incident reporting.

These are only some of the reasons IT is a critical component of incident readiness.

IT’s role in incident management

When IT teams effectively coordinate incident management with privacy and security teams, they sidestep penalties and lawsuits, maintain status quo work that contributes to revenue, and preserve your organization’s brand. But what exactly does the IT team’s role involve?

Overall, information technology organizations’ role in incident management involves developing a strategy to ensure infrastructure and data protection, working cross-functionally to develop robust incident prevention and response processes, and enhancing all of the processes with available technology. 

In the event of a cybersecurity or privacy incident, IT also plays a pivotal role in incident response. Below are a few of the incident response tasks that your IT team may perform:

• Help the security team reset employees’ passwords on compromised accounts.
• Use a mobile device management (MDM) tool to wipe a phone that has been lost or compromised.
• Assist the security team in checking an email account for malicious messages when a phishing email is reported. They might also search for that email in all employee mailboxes.
• Coordinate with security and privacy teams in the case of a mega-breach or a major ransomware infection, depending on the circumstances. The IT team’s tasks could include shutting down and restarting servers, checking data, and restoring backups.

Sometimes, the IT team may need to initiate the response to an incident. For example, when employees lose laptops, the IT team may:

• Remotely wipe laptops to protect organization and customer data.
• Use multi-factor authentication to harden the employee’s account. Such an approach greatly improves the ability to prevent attackers from accessing company networks.
• Review backup files and alert the privacy team if files contain customer information.
• Call the police, file a claim, and supply the laptop’s serial number and other information.

As you can see, the  IT team’s role varies as it works with privacy and security teams during different types of incidents. But in each instance, that role is vital. 

Making IT a part of your incident management program

Once your IT team understands its potential roles in incident management — and why those roles are of strategic importance, it’s a great practice to co-define their part in your overall incident management program. Here are some of the best approaches we see at the moment:

1. Clarify IT’s role with your CIO. In some cases, IT is not as involved in incidents as the security or privacy teams, so they may not be as aware of the need to prepare. Make sure your CIO and IT team are aligned with privacy and security leaders on objectives, processes, and roles & responsibilities of each team in incident response readiness.
   
2. Conduct relevant tabletop simulations frequently, involving your CIO and IT team members. As we’ve said before, teams should often run tabletop exercises, so they know how to respond effectively and efficiently when incidents do occur.
   
   While ransomware attacks are often in the news, and ransomware tabletops will involve all teams, you also need to prepare your people for incidents that are smaller in scope — such as an accidental share of customer information. Preparing for “smaller” incidents empowers each team to quickly take action, preventing penalties, litigation, or reputation loss.
   
3. Avoid using giant, template-based incident response plans. As we’ve said before, generic response plans are obsolete because they prevent your teams from developing responses for your particular organization. Create tailored plans that address specific types of incidents by breaking tabletops down into smaller, more specific exercises. For example, you can have one exercise for misdirected emails, one for lost laptops, and so on. That way, your exercises will take less time while increasing your teams’ sense of competence.
   
4. Create actionable playbooks to guide tabletops and actual incident response. Security and IT teams tend to have their own standard operating procedures (SOPs) for different types of crises, and those SOPs can form the basis for incident playbooks that incorporate procedures and tasks for all relevant teams. Take the following steps:
   
   • Decide which team will have the lead role for a particular incident.
   • Use the lead team’s SOP as the playbook’s main text.
   • Ask other teams to add their tasks and procedures to the playbook.
   • Hold a discussion about how procedures and tasks should integrate.
   • Then, further refine the playbook’s content to ensure a smooth response from all team members.

The BreachRx platform simplifies putting together actionable playbooks, enabling your teams to quickly prepare for an incident, automatically assign tasks, and effortlessly collaborate.

Taking the time to prepare is worth it

By being proactive, your organization will have excellent protection against the different privacy and security risks it can encounter in the world of 21st-century business. Cross-functional incident readiness plans are truly the difference between surviving and thriving.