July 12, 2024

Reading Time: 4 minute(s)

How Should Crisis Management Connect with Incident Response?

July 12, 2024

Table of Contents

Last Updated on July 25, 2024

With so many competing demands for time and resources, 55% of companies do not have an incident response plan or crisis management plan in place. This makes it much harder to identify and manage risks associated with potential threats, and to respond effectively to minimize impacts when disruptive events occur.

Incident response and crisis management are different functions, but they have factors in common and should be connected for optimal results. This article shares best practices for linking crisis management with incident response.

Incident response and crisis management work in tandem

Incident response relates to cybersecurity events primarily impacting data. Crises are major events impacting the entire organization, including cybersecurity incidents as well as natural disasters, scandals, epidemics, warfare/terrorism, workforce problems, and more.

Because the magnitude of the problems differ, incident plans involve different levels of an organization versus crises plans. But while they need to be handled independently, incident response and crisis management overlap and should be coordinated.

For example, your incident response plan should invoke your crisis management plan anytime a cyber incident escalates to a crisis level. From there, incident management and crisis management can progress in parallel, with internal communication taking place between the teams.

How are incident response and crisis management plans similar?

To deal with the full spectrum of cyber incidents and crises effectively, it is important to note the commonalities between incident response and crisis management activities. These include:

Incident response and crisis management plans need separate rules and procedures for when and how to invoke them.
Both plans need well defined roles and responsibilities for who will do what within each plan, including naming specific responsible people/teams. This is not only essential for either plan to work effectively, but also helps keep responsibilities and activities separate when both plans are invoked at the same time.
You should test both plans in parallel, whether in a tabletop exercise or a full simulation. This will help you spot gaps, areas of confusion, and opportunities to better align the two plans. It will also help ensure each plan works as intended and familiarize participants with their jobs once a plan is invoked.

How do incident response and crisis management plans differ?

Incident response and crisis management plans have different goals and scopes, and usually involve different organizational areas. Specifically:

Incident response activities prepare for, identify, contain, and remediate cyber-attacks to minimize negative impacts and recovery time for data confidentiality, integrity, and/or availability. These responses are largely tactical/technical.
Crisis management planning seeks to prevent or reduce company-wide damages from a crisis level event, while supporting operational resilience. Crisis management involves three phases—pre-crisis preparation, crisis response, and post-crisis follow-up.

Some of the key differences that follow from the different goals and scopes of incident response and crisis management include:

Incident Response	Crisis Management
Incident response requires fast action to return cybersecurity and IT status to normal.	Crisis management usually requires ongoing strategic activity to gradually control or contain the situation.
Incident response is mostly handled by IT and/or cybersecurity managers and team leaders.	Crisis management requires involvement and endorsement from senior leaders, as well as participation from multiple departments and experts.
Incident response addresses events of more limited scope that can be handled within minutes, hours, or a few days.	Crises impact the entire organization and can take weeks or months to mitigate.
Incident response usually requires mainly internal communications beyond the immediately impacted stakeholders (e.g., users, managers). Little to no external or media communication is needed unless the incident escalates.	Crisis management is all about strategic internal and external communications to keep the board, investors, customers, employees, and other stakeholders informed, while preserving the organization’s reputation, integrity, and trustworthiness.

How does incident response invoke crisis management?

Cyber incidents can cascade and increase both immediate impacts and follow-on risks. Therefore, incident response and crisis management planning generally interrelate to collectively reduce business risk and mitigate threats.

An early part of incident response is classifying an event according to its magnitude. A common and simple classification scheme is:

Minor incident (severity 1), with minimal operational and data-related outcomes handled by everyday processes and not affecting customers, partners, investors, etc.
Major incident (severity 2), with associated operational and data-related issues requiring “above and beyond” efforts, coordination, and expertise to contain.
Crisis (severity 3), which results in significant revenue losses, makes key services unavailable, and erodes stakeholder trust.

Off-the-shelf malware confined to a few desktop systems is a minor incident. A cyber-attack that brings down a customer-facing website and takes payments offline for 45 minutes is a major incident. A ransomware attack that encrypts core operational systems, renders backups unreachable, exposes customer data, and takes days or weeks for full recovery is a crisis.

What are key elements of crisis management plans?

Incident response communications are primarily internal and tactical, while crisis communications are mostly external and strategic. While a crisis management plan may be invoked as part of incident response, crisis management usually focuses on situational awareness, leadership decision-making, and internal/external communications rather than technical cybersecurity actions.

In short, organizations need both incident response and crisis management plans to cover the spectrum of incident levels and associated responses.

Areas that crisis management addresses include PR, brand reputation control, and coordinated updates to media, shareholders, and regulators.

The first concern in any crisis should be the safety of stakeholders, the public, and the environment. Reputational and financial concerns must be secondary if an organization is to avoid negative perceptions and possibly legal/regulatory harms. This will allow public relations (PR) efforts to position your organization as trustworthy, which is the goal of PR.

How can effective incident response reduce the risk of crisis escalation?

Successful incident response actions can prevent a cybersecurity incident from escalating into a crisis. Best practices include:

Develop, test, and improve coherent plans with clear roles and responsibilities—especially around decision-making and other leadership functions.
Emphasize gaining situational awareness and control.
Communicate effectively, consistently, and in a timely manner to all impacted stakeholders. Don’t obfuscate or go “radio silent” as this creates mistrust.
Ensure that staff with incident response roles get the necessary training and feedback on their performance.
Part of being accountable in a crisis is accepting responsibility without downplaying impacts or blaming others.
When necessary, communicate your remediation plan, including steps to address root causes and prevent future incidents.

What’s next?

For more guidance on this topic, listen to Episode 139 of The Virtual CISO Podcast with guest Kevin Dinino, Founder and President at KCD PR.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

How Should Crisis Management Connect with Incident Response?

Incident response and crisis management work in tandem

How are incident response and crisis management plans similar?

How do incident response and crisis management plans differ?

How does incident response invoke crisis management?

What are key elements of crisis management plans?

How can effective incident response reduce the risk of crisis escalation?

What’s next?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What are the New CMMC 2.0 Flowdown Requirements to Manage Defense Supply Chain Cyber Risk?

What is Swarm AI and How Can It Advance Cybersecurity?

How CMMC Enhances Defense Supply Chain Security

Is Decentralized Cybersecurity Mesh the Future of Cybersecurity?

What is a Post-Quantum Strategy and Does Our Business Need One?

What is Kubernetes Security Posture Management (KSPM) and Why Should We (as Cloud-Native Developers) Care?

Registered Practitioners Versus Certified CMMC Professionals: What’s the Difference for DIB Orgs Seeking CMMC Compliance?

What is a Cloud Native Application Protection Platform (CNAPP) and What Can It Do for My Business?

What is Cloud Infrastructure Entitlement Management (CIEM) and Why Is It Becoming So Important?

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?

The Primary Importance of CUI Scoping for CMMC Certification

Know the Difference between ISO 27001 vs 27002 vs 27003

What is Content Disarm and Reconstruction and Why Should I (as a Recipient of Digital Documents) Care?

The Role of Leadership in ISO 27001 Compliance

Why File-Based Malware Dominates Cyberattacks

Data Detection and Response for Privacy and Compliance

DIB SMBs Rate Their Cybersecurity as Much Better than It Actually Is – Why?

Top 5 Insights from Radicl’s DIB Cybersecurity Maturity Report 2024

How can we help you?

Services

Compliance

Insights

Pivot Point Security