Blogs & Opinions 04.04.2024

You’ve Got an Incident Response Plan, but Have You Tested It?

By failing to prepare, you’re preparing to fail, so get that incident response plan in place, says Chris Denbigh-White

If two buildings are ablaze, then it stands to reason that the one with fire marshalls, evacuation plans, sprinkler systems and the one that has taken steps to improve its ability to contain a fire with regular testing, will be exposed to less damage and fewer repair costs.

What’s more, the longer it burns, the more damage it causes, so it’s essential to reduce the spread of the flames and limit the time it burns. The same can be said of a cyber attack or data breach. 

IBM’s Cost of a Data Breach Report tells us that roughly half of organisations are planning to increase security investments, which is unsurprising given that the average data breach cost now stands at £3.6m ($4.5m) and is rising. The report also highlights how investing in a robust incident response (IR) strategy is critical to limiting damage from a breach and can potentially reduce costs by up to a third.

Only 45% of companies have an incident response plan

The value of an effective incident response plan is apparent. Yet, only 45% of companies currently have one, meaning the majority are likely to be on the back foot if and when a breach is detected. For those wishing to establish an IR plan, reducing the likelihood of needing future firefighting, there is plenty of helpful guidance available (more on that shortly). What makes IR plans so unique is their cyclical rather than linear nature; they are a feedback loop of continuous improvement. This is one of the reasons why testing them is so crucial.

By ensuring regular drills, organisations can find new opportunities to improve the execution of their IR plan and spot issues like communication gaps, outdated procedures, uncertain employees, and technological issues. Drills can also provide an opportunity to build understanding and trust between different teams, ultimately reducing the toxic elements of finger-pointing and blame.

Building an effective IR plan

But what should an effective IR plan look like, and what should organisations focus on when putting one together? Based on the ISO/IEC 27035 process, there are several vital steps organisations can take to ensure they have an effective incident response strategy in place, including:

  1. Preparation: Brief description of the fact that there is an information security programme and what it looks like.
  2. Identification: How the incident was identified, what happened, and what is known about its expected or actual impact on people, business, and data.
  3. Containment: What is being done to stop it getting worse?
  4. Eradication: How (or what) are the plans to eliminate the issue entirely?
  5. Recovery: Details of how the incident will be resolved and how the business will return to regular operating cadence.
  6. Lessons learned: Details of the root cause, lessons learned and how these lessons will be (or ideally have been) implemented.

A well-maintained IR plan can support wider communication with regulators, stakeholders, and customers to ensure that vital information (and, with it, trust) is preserved through semantic understanding.

Regulation and the growing case for IR

Once an organisation has established a well-defined IR plan with evidence of regular testing and improvement over time, it will be in an excellent position to communicate its sturdy security posture to stakeholders. In its simplest form, it reiterates: “We care enough to take security a step further towards realism and away from blind optimism”.

If stakeholder pressure is not enough, regulatory pressure is also growing with recent SEC Cyber Disclosure rules set to make incident response a critical component of organisational security strategies. As a result, companies must disclose incidents within four days after a public company determines the incident is ‘material’.

Similarly, the updates to Europe’s Cyber Resilience Act around vulnerability reporting will require organisations to have formal response practices to identify, contain and analyse all incidents to determine if reporting is necessary. By implementing and maintaining an IR plan, communication with regulators can become more refined (ironically less likely to be required).

In this environment, having an effective incident response plan is no longer an option but an imperative for organisations looking to mitigate breaches, satisfy regulators and safeguard their operations. The plan doesn’t have to be perfect, but it must exist.


Chris Denbigh-White is Next’s chief security officer. As a former police and intelligence officer, he has built his career in system design, defence, and governance. Chris most recently served as VP of information security at Deutsche Bank. Chris is also an active contributor to the advisory board of the SANS Institute and has played a role in developing the (ISC)2 CISSP exam.

Latest articles

Be an insider. Sign up now!