5 Key Roles On Your Incident Response Team

Incident response teams cover a lot of turf, but nowhere is that more true than in B2B SaaS companies. In many cases, the leadership team is already stretched thin with hiring, scaling, managing funding, and most importantly working directly with customers.

When responding to a cyber security incident, there are certain key roles that will make the response journey efficient and effective. Here are the top 5 incident response team roles for a B2B SaaS company.

Incident Response Team Leadership

This role is a very strategic role and carries the initial burden of kicking in the Incident Response Plan. Facilitation and organization are minimum expectations as the team lead. It is a central point of contact for team members and key stakeholders.

It is common for this role to be the company Chief Information Security Officer (CISO). Depending on company size, the role can also be played by the CEO, CTO, or COO. Like all roles, having alternates selected in advance is required. Keep in mind, this role will most likely be required to talk with the Board of Directors and significant customers.

IT Operations Leadership

The technical leadership role is quite different than the CISO role described above. This role is in the trenches managing data classification, identity, access, and containment. In smaller SaaS companies, this role is frequently the lead technology role which might also be the CISO. This is specifically why someone other than the technology lead play the Incident Response Team Leadership role mentioned above. It will be immediately apparent in a small SaaS company why these roles need separated.

“There is just not enough time during an incident to conduct containment and be expected to lead the team too.

Application Leadership

Similar in many respects to the IT Operations Leader, the Application Leader is involved in triage and containment. However, the perspective is from a different angle. For the IT Operations Leader, the role is focused on infrastructure, tools, and log analysis. The Application Leadership is working with the software development team to identify and take remedial action on exploited vulnerabilities in the application itself. This role is usually the application architect.

Compliance Coordinator

Unlike most other roles, the role of the Compliance Coordinator is not involved in solving the problem at hand, nor is this role the voice of the company. This role is very much behind the scenes ensuring all the check boxes are checked. A key responsibility for this role is to document the chronology of events throughout the duration of the incident. Maintaining proper contact information for legal counsel, insurance, and regulatory authorities is a minimum expectation. Depending on the size of the SaaS company, this role may be the external contact, or may simply facilitate the contact between the third-party and the Incident Response Team Leader or Communications Leader.

Communications Leader

Effective communication is key to leading a successful incident response. That includes both external and internal communication. Consideration should be given to making a specific role for customer communication due to the critical obligations involved. The Communications Leader is responsible for coordinating all messaging for consistency, accuracy, and legality. It is recommended that all messages are pre-approved by legal in an archive waiting to be tapped into when necessary. The Communications Leader will need supporting roles for managing web, social, CRM, and other tools as needed to get the message out in a timely fashion.

In summary

There are many supporting roles required to make an incident response effective. Each company will be different in their organizational design. With a solid security culture, many team structures can work. The above list of key roles for your B2B SaaS incident response team are a minimum for even the smallest of teams. What is even more critical to success than the roles, responsibilities, and expectations is the need for training and drilling the Incident Response Plan.

Photo credit to the CDC

If you need help thinking through this or other leadership challenges, let’s have a discussion to see if I can help in some way.

Scroll to Top