Skip to Content

Chief incident response officer vs David the Malware Slayer

Sebastiaan de Vries
June 29, 2020

A reaction must be given to a cyber-attack to guarantee the continuity of the organization. I see two main methods of orchestrating such a reaction: centralized and decentralized.

Reacting to a cyber-attack is more commonly known as incident response. Incident response is an essential part of the business continuity, but that does not make it any simpler to prepare. Many organizations struggle to respond to a simple question of who should have the authority during such a scenario? Should the executive board have the authority? Should the CFO still be making the call on where to spend the money? Or should we place our trust in the cyber-defense team?

The importance of placing authority is reflected in the responsibility to orchestrate the response. This orchestration power also determines who initiates the state of emergency, effectively starting the incident response process. Once the process has been initiated, this authority will need to make decisions on how to deal with the attack. To simplify, the placement of the authority we can consider two primary options: centralized and decentralized authority.

What is centralized authority?What is decentralized authority?
With centralized authority, we can commonly think of a Cyber Defense Center (CDC) providing 24/7 coverage to the organization. Of course, this can be done without a CDC, but the key characteristic is that there is a single authority that covers the entire organization. While this may result in slower communication, the results are often more holistic.  Decentralized authority occurs in many forms. In practice, it often results from local initiatives to help meet localized requirements. We often see cybersecurity champions leading these initiatives with sporadic backing from executive management. While fast to respond, cooperation with other authorities can be challenging.  

The comparison

Both centralized and decentralized structures should follow the incident response lifecycle[1]. When we ignore the difference in resources (such as tooling or budget), we see little difference in effectiveness in performing the required actions. However, there is a difference in efficiency. This difference becomes clearer when looking at cyberattacks that target the whole organization. This is an important consideration, as an attacker is looking for a vulnerability in an organization, not a location.

Additionally, we have observed that incident response initiatives often start off as local initiatives and therefore take on a decentralized organization structure. Driven by a necessity to respond to an active attack, these initiatives are often championed by knowledgeable IT staff.

Centralized authorityDecentralized authority
With highly critical incidents there is an inherent advantage to centralize authority; a centralized orchestration that has a clear picture over the state of the entire organization provides insight into the scope of the entire incident. Another benefit is a more efficient spending strategy as key components are only purchased once (e.g. threat intelligence, tooling, external consultancy).Decentralized structures often experience more rapid development. These teams are often more capable of adapting to new requirements. This results in a more tailored response to local threats and incidents resulting in highly specialized, local, procedures. The main challenge here is that of communicating outside of the localized team in large-scale incidents.



There are many differences to consider in both centralized and decentralized authority structures. An important consideration is that of holistic response versus adaptiveness. Moreover, the effectiveness of the chosen structure is more dictated by tooling and budget. The perfect solution for any specific organization will be somewhere in between. Hybrid solutions, where localized teams report to the global team, are more commonplace.

To summarize the benefits and drivers of both options, I present the following table:

Advantages:Holistic Cost efficientAdaptiveness Specialization
Drivers:Standardization UniformityNecessity Local champions

While this analysis has been brief, it shows two extremes on how to organize incident response organization, specifically authority. As the field of cybersecurity is rapidly changing, so are response strategies. To best adapt to this changing world, you should consider what best fits your organization and what risks you are willing to take.

Topics not touched upon in this paper are additional requirements, such as regulatory compliance, technical infrastructure or require response procedures, all of which may impact the preferred solution for your organization.

This blog does not present any simple solutions to today’s challenges but should be considered a starting point for the many factors that should be considered during incident response.

Visit Capgemini Cybersecurity for more information about our services.


1 NIST. (2012). Computer Security Incident Handling Guide. U.S. Department of Commerce

2 Center for information system research. (2004). IT Governance on One Page. Cambridge Massachusetts: Sloan School of Management