Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
    • By Category
      • AI/Hyperautomation
      • Cloud/Cloud Wars
      • Cybersecurity
      • Data
    • By Interest
      • Leadership
      • Office of the CFO
      • Partners Ecosystem
      • Sustainability
    • By Industry
      • Financial Services
      • Healthcare
      • Manufacturing
      • Retail
    • By Type
      • Guidebooks
      • Digital Summits
      • Practitioner Roundtables
      • Practitioner Playlists
    • By Language
      • Español
  • Vendor Shortlists
    • All Vendors
    • AI/Hyperautomation
    • Cloud
    • Cybersecurity
    • Data
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
Twitter Instagram
  • CIO Summit
  • Summit NA
  • Dynamics Communities
Twitter LinkedIn
Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
        • By Category
          • AI/Hyperautomation
          • Cloud/Cloud Wars
          • CybersecurityThe practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
          • Data
        • By Interest
          • Leadership
          • Office of the CFO
          • Partners Ecosystem
          • Sustainability
        • By Industry
          • Financial Services
          • Healthcare
          • Manufacturing
          • Retail
        • By Type
          • Guidebooks
          • Digital Summits
          • Practitioner Roundtables
          • Practitioner Playlists
        • By Language
          • Español
  • Vendor Shortlists
    • All Vendors
    • AI/Hyperautomation
    • Cloud
    • Cybersecurity
    • Data
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
    • Login / Register
Acceleration Economy
    • Login / Register
Home » How to Use a RACI Framework in Security Incident Response
Cybersecurity as a Business Enabler

How to Use a RACI Framework in Security Incident Response

Robert WoodBy Robert WoodNovember 9, 2022Updated:November 28, 20224 Mins Read
Facebook Twitter LinkedIn Email
RACI incident response
Share
Facebook Twitter LinkedIn Email
Acceleration Economy Cybersecurity

“I thought you were taking care of that.”

That’s not what teams want to be saying when they’re scrambling during an incident response. Across all industries and public sectors, being intentional about roles and responsibilities can decrease communication issues and improve incident response. To help teams make progress toward the latter, this article, the first in a series on the top 10 things to do if you’ve been breached, discusses RACI (responsible, accountable, consulted, informed), a framework for defining roles and responsibilities.

What RACI Is

RACI is a method of defining ownership, accountability, and interface points for a particular project or function. The acronym stands for:

  • Responsible: the manager or team directly responsible for delivery
  • Accountable: the person with final authority over the effort
  • Consulted: a person or team that has unique insights and should be consulted to add value to the effort
  • Informed: a person or team who isn’t directly involved but should be kept up to speed

There are other variations on this framework where an “S” for “supported” could be added.

By facilitating a consistent approach to incident response, the RACI framework enables teams to have mutually understood expectations of their interactions and also to understand their interface points with each other and across the organization, removing the danger of ambiguity and assumptions. I believe the RACI framework should be viewed as a guideline and a living document, leaving flexibility for adaptation and growth.

Who Needs to Be Engaged

The primary teams or people that need to be engaged in the incident response process and part of your RACI matrix should be those in the critical path of containment, investigation, and recovery efforts. Each of these RACI definition areas, and which ones are a priority, will depend on the initial splash zone of an incident; however, it always helps for the following teams to be prepared:

  • The affected team: This is obvious, but the team or teams who were affected by a security incident should be heavily consulted for context, data, or more throughout and after the course of an incident.
  • Senior leadership: In most cases, senior leadership desires (or needs) to be informed of updates. There are cases where they may need to play a more active role as well, such as serving in a particular communications role.
  • Communications/PR: Somebody from a communications team will likely be taking on a responsible role for communicating outwardly and inwardly about the incident.
  • Data stewards: Depending on the organization or regulatory environment, data stewards may exist and need to be consulted on the intricacies of impacted data.
  • Legal: Legal teams are typically consulted from a breach notification standpoint. They should be managing liabilities around notices, credit monitoring, or handling other penalties that may arise as a result of a security incident.
  • Infrastructure/Information technology (IT): Depending on an incident’s scope, engaging the broader IT team to pull more logs or expertise around particular parts of the environment may be necessary.

Secondary Teams or Functions

Effective coordination around an incident isn’t likely to stop solely with the teams outlined above. The following teams or functions may not be top of mind, but they are still necessary to consider in the RACI process.

  • Sales or customer-facing teams: Working with teams that are directly engaging with customers (or prospects) to ensure that questions are answered correctly and the intended message is distributed is key. These relationships are built on trust; effective communication is a critical part of that.
  • Finance: Finance teams usually have a part to play in contract management as well as liability insurance. Consulting with your finance team around areas such as service-level agreements, insurance claims, and expectations set out in technology or service contracts, etc. can be tremendously helpful.
  • Product/project management: These roles are typically responsible for molding the roadmap for technology projects. Security incidents may very well throw a wrench into existing plans, and it’s important to begin conversations as early as is feasible to explore what changes in the roadmap may need to happen to balance the immediate security needs.

Retrospect and Review

I mentioned above that RACI definitions should ideally be living and adaptable. Following an incident, it’s important to set aside time for learning, retrospectives, and lessons learned. It’s natural to focus on process gaps or missing technical controls. Evaluating if the defined RACI structure for the incident team worked for or against a successful resolution is important. This is the time to get critical, re-evaluate, and re-establish as needed.

If you’re curious for more knowledge in this area, here is a fantastic resource from Atlassian that discusses broader functional roles and responsibilities in incident management.

CLICK HERE TO CONTINUE THE CONVERSATION ON LINKEDIN

Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel:

Acceleration Economy Cybersecurity

Cybersecurity featured finance framework infrastructure security teams
Share. Facebook Twitter LinkedIn Email
Analystuser

Robert Wood

CISO
Executive Branch Agency

Areas of Expertise
  • Cybersecurity

Robert Wood is an Acceleration Economy Analyst focusing on Cybersecurity. He has led the development of multiple cybersecurity programs from the ground up at startups across the healthcare, cyber security, and digital marketing industries. Between experience with startups and application security consulting he has both leadership and hands on experience across technical domains such as the cloud, containers, DevSecOps, quantitative risk assessments, and more. Robert has a deep interest in the soft skills side of cybersecurity leadership, workforce development, communication and budget and strategy alignment. He is currently a Federal Civilian for an Executive Branch Agency and his views are his own, not representing that of the U.S. Government or any agency.

  Contact Robert Wood ...

Related Posts

How to Avoid Surprises in a Data Migration From On-Premise Systems to the Cloud

March 27, 2023

Cloud Confidence Index Up 6.1% in March

March 27, 2023

How Expanding ERP Automation Beyond Finance Enables Manufacturing Innovation

March 27, 2023

Why Cloud Apps Are Superior to Spreadsheets for Data Management and Analytics

March 27, 2023
Add A Comment

Comments are closed.

Recent Posts
  • How Qlik Makes It Easier for Customers to Connect Diverse SaaS Apps, Data Sources
  • How to Avoid Surprises in a Data Migration From On-Premise Systems to the Cloud
  • Cloud Confidence Index Up 6.1% in March
  • How Expanding ERP Automation Beyond Finance Enables Manufacturing Innovation
  • Why Cloud Apps Are Superior to Spreadsheets for Data Management and Analytics

  • 3X a week
  • Analyst Videos, Articles & Playlists
  • Exclusive Digital Business Content
This field is for validation purposes and should be left unchanged.
Most Popular Guidebooks

Securing Multi-Cloud Ecosystems

March 24, 2023

Securing Software-as-a-Service Applications

March 1, 2023

Retail Innovation With AI, Data, and Cybersecurity

March 1, 2023

Cloud Data Strategy, Analytics, and Governance

February 27, 2023

Advertisement
Acceleration Economy
Twitter LinkedIn
  • Home
  • About Us
  • Privacy Policy
  • Get In Touch
  • Advertising Opportunities
© 2023 Acceleration Economy.

Type above and press Enter to search. Press Esc to cancel.

  • Login
Forgot Password?

Connect with

Login with Google Login with Windowslive

Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.