In a recent report, Aberdeen looked at how companies should be thinking about incident response. It should be seen, not as a particular set of actions for a specific incident, but as an essential set of enterprise capabilities.
When Your IT Hits the Fan: Why Your Organisation Needs an Incident Response Capability
“Who You Gonna Call?”
In the context of IT infrastructure, Aberdeen’s research confirms a trend towards developing strong incident response capabilities as an important complement to traditional prevention-orientated security strategies. Logically, it’s become pretty clear to most companies that prevention can’t be successful 100% of the time, so more and more are concluding that it also makes sense to be in a position to detect, respond and recover from security-related incidents.
Augmenting traditional, prevention-orientated controls with enhanced capabilities to detect, respond, and recover from an incident is important to reduce the organisation’s security risk. See figure 1.
Traditionally, the majority of security controls that organisations have currently implemented are technical in nature, and are on the prevention side of the security risk equation, as seen in figure 2.
To understand your organisation’s incident response, enumerate a list of all the security-related controls that are currently in use by your organisation, and assign them to one of the six possible categories from the framework in figure 2:
- Rows – the primary category of each control (physical, administrative or technical)
- Columns – the primary purpose of each control (prevent, deter, detect, respond, or recover)
Incident Response is Not a Specific Action – It’s a Strategic Capability
One of the most important points about incident response is that specific security threats, vulnerabilities and exploits will continue to come and go, but having certain foundational capabilities will serve the business again and again over the long term. Some examples of these foundational capabilities include:
- Accurate visibility and intelligence about your IT infrastructure
- Efficient means to manage threats, vulnerabilities, patches, updates and configuration changes
- Effective communication among the right people with the right skills and expertise
How Incident Response Capabilities are Maturing
For most organisations, Aberdeen’s research has shown that enterprise incident response capabilities are still in the early stages of maturity. Leaders in this were found to be much more highly developed, as seen in figure 3.
Another comparison of Leaders and Laggards that illustrates the still-evolving maturity of incident response capabilities and practices is provided in figure 4.
Summary and Key Takeaways
- Aberdeen’s research confirms a trend towards developing strong incident response capabilities, as an important complement to traditional prevention-orientated capabilities
- Organisations should be thinking about incident response, not as a particular set of actions for a specific incident, but as an essential set of enterprise capabilities
- Examples of foundational incident response capabilities include having:
o Accurate visibility
o Efficient means to manage threats
o Effective communication
- Incident response capabilities are beginning to mature
Aberdeen Group has been an international research partner of Nebula since 2010. With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.
Should you be interested in discussing this research or access to their broader research offerings, please contact us at firstname.lastname@example.org
Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments. We also invite you to contact us at email@example.com if you are interested in finding out more about our services.