Planning an Effective Cybersecurity Incident Response: Creating and Building For Success

Listen on Spotify


Detect and stop attacks, minimize damage, and prevent future attacks of the same type – can your cybersecurity incident response achieve these goals?

How can we ensure that we have the right process in incident response and the right documentation should we need it?

Today our guest is Roger Caslow, a CISO at HRSD – a regional utility in Virginia that provides critical infrastructure services to several cities and counties in the region.

As a US Navy Veteran with 20 years in various information security roles, he understands the importance of having a proven and tested incident response plan. Roger pooled the critical success factors for managing the risks all companies must address.

Join us as we discuss:

  • The importance of the preparation and validation of processes and controls
  • The key critical factor in a cybersecurity incident response plan
  • Connection points between the three Ps (People, Process, Policy)
  • Technology Solutions

Let’s go deeper here with our guest expert on this episode.

Security and its challenges

Roger spent his entire career doing security, physical security force protection, counter-intelligence, insider threat, and cyber security for various companies and organizations (private and public).

He’s not just responsible for information technology security, he’s also responsible for the operational technology (OT) security and Industrial Controls who deals with threat actors in many areas and believes doing is a lot harder than thinking.

In between information technology and operational technology, Roger stated that putting security in place and doing the security behind them is much harder than many OEMs think. It doesn’t change the fact that cybersecurity incident response should be top of mind for all companies these days – especially if it can have a massive impact on the life of a business.

Prevention is better than cure

We should never wait until it’s too late because no one can ever get things right in the middle of the incident especially since they do not have an exact and full picture of the organization they’re dealing with. Even the team that an insurance provider sends won’t fully know how to deal with it because of the lack of knowledge of your infrastructure.

“I’ll pull part ransomware (which is just another flavor of malware) out of that space because the regular incident response is hard enough as it is,” he added.

In the case of the combined approach for GRC (governance, risk, compliance), nobody even likes to do it because it’s the least sexy of all functions in the cybersecurity space. 


Roger believes it’s not all doom and gloom though. We can win against the bad guys with a prebuilt incident response strategy.

When we’ve identified an incident, it is important to be able to know:

  • Who do we notify?
  • How do we notify?

If we have the process and policy in place and we know what we have to do, putting the framework layout will let us work through the processes and procedures, and all the subprocess that have to be gone through in our incident response plan. Communication planning and the communications process are key factors.

Be careful with the B word

Breach.  It is a legal term. If you currently have an incident you have to manage, don’t use the B word until you know for a fact data has been breached. When you use the word breach you pull all kinds of regulatory triggers – FCC, FTC, OCC, etc.

Technology Solutions – Proper Tooling Decisions

Roger expounds on the reason why companies are outsourcing incident response. It’s a heavy burden capability that has a very specific subset of skills.

Before everything else, you need to have the process documented. All of these have to be prepared before an incident.

To have a solid security posture, we need to continue training the workforce and make people aware of what’s going on out there.

ETA – Education, Training, and Awareness. They all go together.

“When it comes to incident response,” Roger recommends, “if you’re a small, medium-sized organization, outsource to the managed security service provider or MDR whoever first.”

Security doesn’t exist for security’s sake, and IT doesn’t exist for IT’s sake in most organizations.

Look at retainer fees from a standpoint of, are you going to pay it now or you’re going to pay it later? And there are various services that an incident response team offers even if you don’t use it (the retainer), whilst having the right security people (whether there’s an incident or not). You always get something at the back end.

Embrace the change. If we don’t change, we stagnate, and we can’t stagnate in the security space because we obviously don’t want to get compromised.

Still itching for more IT strategy and tactics? You can find this interview and many more by subscribing to Groovers Talk Tech on Apple PodcastsSpotify, or here.

Listening on a desktop & can’t see the links? Just search for Groovers Talk Tech in your favorite podcast player. 

Questions? Email or chat below.


Subscribe for Email Updates

Speak with an
IT Professional Today!

Please fill out this form and we'll get right back to you.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.