Go with the Flow

Once your team is in place, you should create a diagram that spells out, step-by-step, what each part of the security organization needs to do when a breach occurs. And while the incident process needs to be flexible in order to handle various kinds of attacks, Silverstone says, you won't want to leave any of the steps in the diagram to interpretation. "Be precise. Everyone should know who to call and what to do in every type of situation," Silverstone says. "If you leave it open-ended and someone makes the wrong decision, you'll leave your organization open to liability."

Once you determine that you have a genuine incident on your hands, you and your designated team members can formulate a response strategy. Is the incident major or minor? Does it threaten vital business functions? Do you want to contain the incident and maintain business continuity, or do you want to allow the incident to unfold so that you can gather forensic evidence for an investigation further down the road? Should you contact outside agencies yet? Is it necessary to communicate with the general employee population? The answers to such questions will help the process move along more quickly and predictably, saving precious time and money, minimizing damage and maintaining business continuity for your company.

Consider making a team member the designated note-taker so that when a crisis hits, there's no confusion about who's capturing all the important information.

It Ain't Over 'Til It's Over

Finally, after every incident, CSOs need to lead their incident response teams in a postmortem review process that examines how well the incident team dealt with the attack. Did team members follow the response diagram? Did staff members handle the incident calmly? Did everyone on the contact list respond promptly? Should the contact information be updated or changed in any way? And, finally, do you need to add anyone to the team or adjust the procedures?

"If you don't learn from what you've just experienced, you open yourself up to more attacks," says Raymond James Financial's Fredriksen. The review is your chance to improve the plan and the team so that you can work out any kinks before the next incident strikes. Fredriksen recommends doing a risk analysis after every incident to make sure as many vulnerabilities as possible are secured.