All Posts

    Noam Morginstin Noam Morginstin
    May 23 6 min read

    Why an incident response plan is a security must-have for every organization


    “By failing to prepare, you are preparing to fail. Preparation prior to a breach is critical to reducing recovery time and costs.” (RSAConference)


    For 83% of companies, a cyber incident is just a matter of time (IBM). And when it does happen, it will cost the organization millions, coming in at a global average of $4.35 million per breach.

    The damage isn’t only financial, nor solely related to customer loyalty and brand equity. There are also the regulators who will be fast to penalize, and cyber insurance rates that will likely rise.

    So, it’s no surprise that companies invest millions every year in cyber protections such as intrusion detection and prevention, data loss prevention, endpoint protection, identity and access management, penetration testing, and more.


    The must-have for your toolkit

    However, even if you have a generous cyber budget, no prevention tool is 100% attack-proof. This is why it’s critical to be prepared so when that incident hits you will know exactly:

    • What are everyone’s roles and responsibilities
    • What are the right investigative procedures
    • Which external stakeholders needs to be contacted, e.g., insurance carrier, breach attorney, regulatory authorities, law enforcement
    • Which data needs to be collected
    • Which reports need to be compiled and who needs to get them
    • What are the legal protocols
    • Who should communicate what to whom
    • And more

    There really is no other way to hit the ground running and be fast and accurate in understanding exactly what needs to be done to reduce downtime, costs, and the probability of material impact.

    And this is what the incident response plan is all about.

    It’s the must-have tool for your cybersecurity toolkit, whose importance cannot be understated. Consider these numbers:

      Without an IR plan     With an IR plan
    Days to find the breach & recover 46 days     37 days
    Days to find an adversary & eradicate 35 days     27 days
    Cost of breach $3M   $2.4


    The IR plan’s key elements

    In developing a well-designed IR plan, with the policies, procedures, and guidelines for response, some of the key chapters that should be included are:

    • Roles and responsibilities, e.g., IR commander, handling team, and all other relevant stakeholders
    • The framework for identification and assessment
    • Containment strategies and steps
    • Eradication and recovery processes
    • What is the data that should be collected for intelligence
    • The post-mortem outline
    • Notification requirements
    • Guidelines for communicating with internal stakeholders, customers, law enforcement, the media, regulatory authorities, and the cyber insurance carrier
    • The incident response checklist


    Virtual War Room


    Ensuring efficacy

    Once you have a solid plan in place, you can go a long way towards amplifying its efficacy by:

    Ensuring availability

    When an incident occurs, the first step is to consult the incident response plan for which step each incident stakeholder should take. Accordingly, it is critical that the plan be available even if the relevant enterprise system that stores it is down.

    Testing the plan

    Don’t wait for a live incident to test your plan. Testing processes and guidelines in advance with tabletop exercises is vital to making sure that the plan is clear and effective, and that everyone knows what to do and that they do it right and well.

    Towards this end, stakeholders should be encouraged to execute the response to a scenario as if it was actually happening.

    Once completed, the outcomes of the exercise may be reviewed for understanding what works, what doesn’t, and how response can be optimized.


    The incident response plan must have a consistent and standardized structure and format to ensure that all incidents, regardless of the severity or complexity, are always approached in full alignment with the organization’s policies, procedures, and best practices.


    How Exigence can help

    Exigence brings automation, clarity, and simplicity to incident response, planning, and tabletop testing.

    The platform enables IR planning that is fully digitized and template driven. Its intuitive interface walks users through the different sections of the IR plan, helping them to fill out all the relevant sections quickly and accurately. And it enables teams to test preparedness with tabletop simulations.

    Furthermore, in being multi-tenant, service providers, such as MSPs and MSSPs, can seamlessly create and provide incident response plans and tabletops to a great number of different customers.

    Through this combination of capabilities, anyone can gain unprecedented efficiency, accuracy, and effectiveness with IR planning and plan testing.


    In conclusion

    The IR plan is every organization’s cybersecurity must-have for ensuring preparedness, accelerating response, and meeting regulatory and insurance demands.

    When you have a robust plan in place, you improve your security posture and profoundly enhance the protection of your organization’s most strategic data assets.

    To learn more about how Exigence can help we invite you to reach out to us at

    New call-to-action

    Critical Incident Management major incident management CyberSecurity Incident Response Automating Critical Incident Management

    Critical Incident Management major incident management CyberSecurity Incident Response Automating Critical Incident Management