CRA Survey: Good Incident Response Playbooks Boost Staff Morale and Optimize Performance

New survey data suggests that organizations that prioritize Incident Response team structures and training on core skills perform at a higher level with better overall morale

New York, NY, May 10, 2023 – Few descriptions of incident response (IR) adequately capture the intense, relentless nature of the profession. Teams must quickly spring into action, analyze the situation, identify the cause, and act. Organizations that do this best prioritize IR team structures and training, leading to higher performance and morale, according to 205 security and IT leaders, executives, practitioners, administrators, and compliance professionals surveyed by CyberRisk Alliance in March 2023. 

“We implemented a policy — what we call learning Fridays – where every two weeks, we’ve blocked off one to two hours on everyone’s calendar to do training,” said one respondent from the manufacturing sector. “I think that has allowed everybody to stay up-to-date and know what’s going on. That training keeps us fresh and helps us understand anything new that’s coming down the line. It’s become very helpful for us.”

Among the key takeaways: 

• Incident response efforts tend to prioritize plans over people. 73% of respondents say their employer has a playbook to guide incident response actions, but only 63% have a team structure dedicated to IR. However, organizations that do have a dedicated IR team report higher IR readiness overall compared to any other metric we looked at, including that of an IR playbook or strategy.
  
• People are the most important assets – and top challenge areas – for IR. There are simply not enough qualified IT and security personnel to staff IR operations, say respondents. Thus, existing responders are stretched thin and prone to burnout. Just over one-third strongly agree that their IR teams are not given sufficient resources to do the job, nor enough time to study and learn from past incidents.
  
• Problem-solving and team skills are considered just as critical as technical skills. 68% of respondents rank problem-solving as the most or second-most important people skill for incident response. Team skills and oral communication are also must-haves, considered just as important as technical skills like incident analysis and knowledge of tactics, techniques, and procedures (TTPs).
  
• High morale is most common among orgs with established IR teams that adopt a learner mentality. Nearly all respondents say their employer has suffered a security incident, but confident IR practitioners say they’ve provided structure and support for their teams to continually improve and iterate on the IR formula. As one respondent says, “we review response strategy right after an incident has been addressed, and we look for things that could be improved and highlight what worked well.”

For more detailed findings and analysis, the full research report is available for download here.  

About CyberRisk Alliance  
CyberRisk Alliance (CRA) is a business intelligence company serving the high growth, rapidly evolving cybersecurity community with a diversified portfolio of services that inform, educate, build community, and inspire an efficient marketplace. Our trusted information leverages a unique network of journalists, analysts and influencers, policymakers, and practitioners. CRA’s brands include SC Media, Security Weekly, ChannelE2E, MSSP Alert, InfoSec World, Identiverse, Cybersecurity Collaboration Forum, its research unit CRA Business Intelligence, the peer-to-peer CISO membership network, Cybersecurity Collaborative, and now, the Official Cyber Security Summit and TECHEXPO Top Secret. Click here to learn more.