The antivirus console administrator is phoning Maria, the chief information security officer (CISO) reporting to Tom the CEO: “… another virus has been detected. I know we struggle with many incidents like this every day, but this one seems very strange. I’ve never seen it before. It has infected the workstation of a researcher in the R&D lab and it is trying to send loads of data to Internet … the help desk manager just wants the workstation to be reinstalled as soon as possible, saying it’s a common incident and nothing to worry about. …”

Maria interjects: “No. This is now an incident needing our incident management process to kick in. Start sending the virus to our forensics experts, then …”

Cybersecurity Incident Management

One hundred percent protection capability does not exist in cybersecurity. A cybersecurity incident may always occur—whatever the level of investment. However, it is mandatory that the CEO ensure tailored-to-organization capabilities to differentiate low-impact routine cyber incidents from major crises that require prompt escalation to effective cyber crisis management in order to avoid high-impact interruption. This chapter shows the CEO how.