NIST CSF: Respond: Prepare, Prepare, Prepare.

The Respond phase of a NIST CSF-based Cyber Security program is about responding to the failures of the Protect phase that you detected in the Detect phase. Even if you do not have a format Cyber Security program, let alone one based on the NIST CSF, you need an Incident Response Plan (IRP). If the three most important considerations when buying real estate are Location, Location and  Location, then the three most important considerations when responding to a Cyber Security Incident are Preparation, Preparation, Preparation.

You need an IRP for several reasons.

1.  In today's threat environment the chances that you will never have an incident are low and the severity of the consequences are high, so this is just good business.
   
   
2. In the aftermath of an incident you need to balance responding as quickly as possible (stop the bleeding) with responding as effectively as possible (the cure should not be worse than the disease and uncertainty through poor communication should not be a self-inflicted wound).
   
   
3. An appropriate response should proceed along several tracks at once. This will only happen if you have done the work beforehand to ensure that everyone knows their role. The less time you spend breaking new ground and answering basic questions, the better.

The required coordination is an excellent example of what Pythia Cyber stresses about Cyber Security: those who provide Cyber Security usually have narrow authority but need wide influence. Your IRP will require people from different departments to work separately but in concert. Your Cyber Security people, be they a CISO and staff or the head of IT or an outside vendor, need to know that everyone will do their part, even if many of the response team are not direct reports of anyone involved in Cyber Security.

Oddly, many people who are unsure of the idea that Cyber Security is Risk Management are fine with contingency planning, such as an IRP requires. To us, contingency planning consists of imaging a bad thing happening, then imaging your response and writing down your imagined response. To us, contingency planning is a more general case of Risk Management; the advantage Risk Management has over vanilla contingency planning is that Risk Management has been adapted and refined to support business goals. Risk Management helps us construct a rigorous, formal Cyber Security program.

Responding to a Cyber Security Incident does not have to be part of a rigorous, formal Cyber Security program, but you will really regret it if you are forced to respond without a detailed, well-thought out, agreed upon IRP. If you can only afford to take one step toward better Cyber Security, make it creating or revising or updating your IRP. The career you save may be your own.