How to Build a Cyber Incident Management Team

Today we want to pass on some knowledge we've accumulated over the last decades helping many organizations structure their SOC, CSIRT and overall cyber incident management teams and practices.

Contrary to what we often encounter, incident management is not just a technical discipline: It is a coordinated business function that balances risk, continuity, and reputation under pressure. And the pieces of the puzzle, despite what some technology vendors might argue, must come in a specific order: 1) People, 2) Governance, & 3) Technology .

Because let’s face it: you can have the best hammer, the finest nails, and the most beautiful building blueprint… but without an enlightened team of architects, engineers, and expert construction workers, that house will never ever see the light no matter how much money you throw at the problem.

That being said, let’s explore the key ingredients to make this happen.

01 Start with a Core Team That Reflects the Business

An effective response starts with people.

Before writing a single procedure, let alone buying any tool, identify the key players who will get involved, lead and support your incident management effort.

You minimally need a central role: the Incident Commander. This person bridges the gap between business leadership and cybersecurity operations.

They do not have to be a deep technical specialist; in fact, that can more often than not be a disadvantage. Pure techies, by interest and experience, often focus on systems and logs while missing the overarching business imperatives: uptime, customers, regulatory deadlines, insurance coverage, communication, etc.

it is important that the person to whom you assign Incident Commander duties understand:

• How your business functions generate value (make money, etc) and depend on technology

• What can and cannot stop without major impact

• How to prioritize actions when multiple fires are burning

In short, the Commander translates technical findings into business decisions and ensures that every move supports organizational priorities.

02 Surround the Commander with Functional Leads

Incident response is a team sport.

Around the Commander, you will typically find:

• The Technical Lead : drives investigation, containment, and restoration with technical stakeholders such as:

  • The Security Operations Center (SOC) or CSIRT

  • IT & network operations teams

  • The identity and access management (IAM) team

  • The software engineering team (SecDevOps)

• The Business Lead : aligns business discussions and activities,

  in collaboration with key business stakeholders such as:

  • Executives

  • Legal, Risk & Compliance

  • Finance

  • Business lines

  • Communications

Together, they form a cross-functional unit capable of managing not only the threat but also the organization’s exposure, obligations, and reputation.

03 Identify External Human Dependencies

When a crisis hits, you must know who to call and how to reach them.

Among the most important external contacts:

• Major clients who may require notification under contract

• Your insurer’s representative

• Your incident response or consulting firm retainer

• Your breach coach retainer

• Your PR firm retainer

• Local and national law enforcement cyber agencies

Pro tip: reach out to these external stakeholders proactively from time to time, and first BEFORE an incident happens! This helps validate their contact information and strengthens professional relationships that are invaluable in moments of crisis.

04 Give the Incident Management Team the Right Conditions to Operate

Even the best team fails without visibility and coordination. During a live incident, information arrives from every direction: emails, chat threads, tickets, calls, and hallway conversations. Without a structured way to capture and share these inputs, chaos quickly takes over and critical details are lost.

Delegate Proper Authority and Support Your Leadership

Managing a cyber incident is not only about procedures; it is also about confidence and empowerment. The individuals tasked with leading or coordinating during crises must feel trusted and supported by top leadership.

Executives should clearly delegate authority to make time-sensitive decisions and back those decisions publicly. This psychological safety is essential. When responders know they have the mandate to act, they can focus on resolving the situation rather than seeking constant approvals or fearing second-guessing later.

Leadership support also means resources and presence, ensuring that the team has access to communication channels, budget, and expert assistance when it matters most.

An empowered team, equipped with the right orchestration tools, can manage even the most disruptive events with composure, accountability, and clarity.

Enable Orchestration

Each stakeholder must document their actions, findings, and decisions in a common logbook. A spreadsheet is the minimal version : it is better than nothing, but it does not scale well in a multi-party, high-pressure situation.

Ideally, your organization should adopt a secure online orchestration platform that brings everyone together in real time. A mature environment should allow the team to:

• Prioritize actions based on impact and urgency

• Log and document activities as they happen

• Communicate and collaborate across technical, legal, and executive roles

• Maintain a built-in audit trail to demonstrate diligence

• Generate reports for insurers, regulators, or internal review

This level of orchestration ensures that decisions are traceable, accountability is shared, and leadership can see the full picture at any moment.

We will explore the tooling aspect in detail in our upcoming article, but the message is simple: the right environment turns fragmented reaction into coordinated execution.

Care for the health of your people

Humans have extraordinary capacities, but they are not machines. A prolonged cyber incident can be exhausting, emotionally and physically. Fatigue leads to mistakes, poor judgment, and burnout... all of which can worsen the impact of the event itself.

In our experience, the first 72 hours and the first week of crisis management are often where organizations lose the human battle if individuals are allowed to exceed their limits. Those initial days are the most intense, both operationally and psychologically, and they often set the tone for the entire recovery.

Organizations that manage crises well recognize that human endurance is a strategic asset. Protecting it is part of resilience.

Here are a few practical ways to support your team:

• Rotate responsibilities during extended incidents so no one stays “on” for too long.

• Provide rest windows and clear communication about shifts and expectations.

• Ensure access to food, hydration, and mental decompression during long work hours.

• Offer debriefs and psychological support after major incidents to help teams recover and learn constructively.

• Acknowledge and celebrate efforts once normal operations resume. Recognition matters.

Healthy responders make better decisions, communicate more effectively, and recover faster from stress. A culture that values people as much as performance will always be stronger in the long run.

05 Practice Before It Is Real

Tabletop exercises are where the team learns to move as one. Simulate common scenarios such as phishing, ransomware, or supplier compromise, and focus on decision-making, escalation, and communication.

Each rehearsal should reveal gaps, refine playbooks, and strengthen trust among the players. Breach Commander also allows teams to rehearse playbooks in an orchestrated environment that mirrors real operations without the chaos.

It is also wise to involve the external actors you identified earlier in your simulations. You will be surprised how real life differs from what we imagine.

06 Build the Supporting Frameworks

Once your team has been defined, formalize their activities through clear plans and processes.

Review or put in place the critical governance hierarchy, including but not limited to:

• BCP (Business Continuity Plan) : to prioritize & preserve operations

• DRP (Disaster Recovery Plan) : to test & restore technology

• IRP (Incident Response Plan) : to orchestrate the response

These documents provide structure, but it is your team and coordination platform that bring them to life.

More reading? Continue with our article on How to build a business continuity plan (BCP) for optimal incident management.

Ready to orchestrate cyber incidents like a pro and remove the pain?

Head over to the store to find the subscription for your organization