Chief incident response officer vs David the Malware Slayer

An introduction to centralized versus decentralized incident response

Publish date:

With the growing complexity of cyberattacks, there is an ever-increasing expectation from the organization to have a plan b.

A reaction must be given to a cyber-attack to guarantee the continuity of the organization. I see two main methods of orchestrating such a reaction: centralized and decentralized.

Reacting to a cyber-attack is more commonly known as incident response. Incident response is an essential part of the business continuity, but that does not make it any simpler to prepare. Many organizations struggle to respond to a simple question of who should have the authority during such a scenario? Should the executive board have the authority? Should the CFO still be making the call on where to spend the money? Or should we place our trust in the cyber-defense team?

The importance of placing authority is reflected in the responsibility to orchestrate the response. This orchestration power also determines who initiates the state of emergency, effectively starting the incident response process. Once the process has been initiated, this authority will need to make decisions on how to deal with the attack. To simplify, the placement of the authority we can consider two primary options: centralized and decentralized authority.

What is centralized authority? What is decentralized authority?
  • With centralized authority, we can commonly think of a Cyber Defense Center (CDC) providing 24/7 coverage to the organization. Of course, this can be done without a CDC, but the key characteristic is that there is a single authority that covers the entire organization. While this may result in slower communication, the results are often more holistic.
 

  • Decentralized authority occurs in many forms. In practice, it often results from local initiatives to help meet localized requirements. We often see cybersecurity champions leading these initiatives with sporadic backing from executive management. While fast to respond, cooperation with other authorities can be challenging.

 

The comparison

Both centralized and decentralized structures should follow the incident response lifecycle[1]. When we ignore the difference in resources (such as tooling or budget), we see little difference in effectiveness in performing the required actions. However, there is a difference in efficiency. This difference becomes clearer when looking at cyberattacks that target the whole organization. This is an important consideration, as an attacker is looking for a vulnerability in an organization, not a location.

Additionally, we have observed that incident response initiatives often start off as local initiatives and therefore take on a decentralized organization structure. Driven by a necessity to respond to an active attack, these initiatives are often championed by knowledgeable IT staff.

Centralized authority Decentralized authority
  • With highly critical incidents there is an inherent advantage to centralize authority; a centralized orchestration that has a clear picture over the state of the entire organization provides insight into the scope of the entire incident.
  • Another benefit is a more efficient spending strategy as key components are only purchased once (e.g. threat intelligence, tooling, external consultancy).
  • Decentralized structures often experience more rapid development. These teams are often more capable of adapting to new requirements. This results in a more tailored response to local threats and incidents resulting in highly specialized, local, procedures.
  • The main challenge here is that of communicating outside of the localized team in large-scale incidents.

[2]

Conclusion

There are many differences to consider in both centralized and decentralized authority structures. An important consideration is that of holistic response versus adaptiveness. Moreover, the effectiveness of the chosen structure is more dictated by tooling and budget. The perfect solution for any specific organization will be somewhere in between. Hybrid solutions, where localized teams report to the global team, are more commonplace.

To summarize the benefits and drivers of both options, I present the following table:

Centralized Decentralized
Advantages:
  • Holistic
  • Cost efficient
  • Adaptiveness
  • Specialization
Drivers:
  • Standardization
  • Uniformity
  • Necessity
  • Local champions

 

While this analysis has been brief, it shows two extremes on how to organize incident response organization, specifically authority. As the field of cybersecurity is rapidly changing, so are response strategies. To best adapt to this changing world, you should consider what best fits your organization and what risks you are willing to take.

Topics not touched upon in this paper are additional requirements, such as regulatory compliance, technical infrastructure or require response procedures, all of which may impact the preferred solution for your organization.

This blog does not present any simple solutions to today’s challenges but should be considered a starting point for the many factors that should be considered during incident response.

Visit Capgemini Cybersecurity for more information about our services.


References

1 NIST. (2012). Computer Security Incident Handling Guide. U.S. Department of Commerce

2 Center for information system research. (2004). IT Governance on One Page. Cambridge Massachusetts: Sloan School of Management

Related Posts

Cybersecurity

Addressing the challenge of privacy engineering

Dr. Fatbardh Veseli
Date icon June 23, 2020

The paradigm of privacy by design (PbD) has gained importance, both in academia and industry,...

Cybersecurity

Cybersecurity: Building a fortress or staying ahead?

Geert van der Linden
Date icon June 18, 2020

For a long time, cybersecurity was viewed as mostly static and set in stone.

Cybersecurity

Remote working

Geert van der Linden
Date icon May 26, 2020

Remote working has long been a security threat for cybersecurity teams. In the new work from...