Enterprises build defenses to protect digital assets from cyberattacks and keep cyber risk at an acceptable level. However, even with state-of-the-art controls, cybersecurity incidents are inevitable. For this reason, enterprises need a team with specialized skills to respond to incidents and coordinate activities between all of the parties that participate in the incident management process.

The structure and support model of an incident response function, and the services that it will provide to the organization, are vital considerations. Enterprises also need to decide what capabilities to build in-house versus in what areas they need to partner with outsourcing organizations.

This chapter discusses various topics that organizations need to consider when building a cybersecurity incident response team (CSIRT).

Defining a CSIRT

This section discusses the characteristics of a successful team; clarifies the difference among Computer Emergency Response Team (CERT), Security Operations Center (SOC), and CSIRT; and provides a detailed explanation of what the term CSIRT really means.