#71: Incident Response Plan Essentials

Season #1 October 02, 2025

Welcome back to Cash in the Cyber Sheets, where we talk about the messy, practical, and sometimes painfully honest side of cybersecurity. In this episode, we’re tackling a challenge that every organization faces sooner or later: creating and managing an Incident Response Plan (IRP).

On paper, an IRP is simple. It’s your guidebook for what to do when, not if, a cyber incident occurs. But in reality, too many organizations stall out before they even get one in place. Why? Because they try to make it perfect from day one. They load it with every possible scenario, every escalation path, and every technical control, until the whole thing collapses under its own complexity. The tragic irony is that while chasing perfection, they end up with nothing. And when ransomware hits, “nothing” is not the strategy you want to be stuck with.

This episode challenges that mindset. Instead of shooting for the flawless IRP, we explore how focusing on just a few quick hits can set the foundation you actually need. Think of it as building your IRP in layers. Start with the essentials: Who’s on the response team? How do you contact them? What’s the first step when malware shows up or a phishing attack lands? If you can answer those questions, you already have a plan that’s better than the blank page staring back at you.

From there, the plan grows organically. You test it. You add detail. You refine as you learn. But even the “bare bones” version can guide you through those first chaotic hours of an incident. It might not be perfect, but it’s practical, and practicality is what saves businesses in the real world.

We also discuss why momentum matters more than perfection. By starting small, you create confidence. You give your team something they can use, and you avoid the paralysis that kills so many initiatives. Over time, the plan becomes more robust, but from day one, you’re already better prepared.

If you’ve been stuck in IRP limbo, this episode is your roadmap out. You’ll hear why less can truly be more, and how to avoid letting “perfect” be the enemy of “good enough to get started.” We’ll leave you with actionable advice and a nudge to finally put pen to paper, because even a short, imperfect plan can help steer your business through the storm.

Episode Transcript

Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.

Hey everybody, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today.

And this week, I wanted to go into issues that we are having come up quite a bit here, especially recently, a lot of questions from clients, from prospects, even just from partners and other people that ask us about policies and procedures. It's a very sexy subject, so it gets brought up a lot, but really all the things that we're having around incident response management and companies putting together their incident response plans. And this week, this little bit of time that we have together, I want to go through the biggest pitfalls that I'm seeing that is getting everybody hung up and they're not getting plans put together.

And there are tons of ways that you can go about this, but we're going to go into some of the critical things that you need to have together and some of the things that you can put together pretty quickly and have at least a plan, a response plan that will carry you through, God forbid, should things hit the fan. So definitely stay tuned. We're going to go all into that.

Before we do, please click that like, click that subscribe and show us some love. If you haven't subscribed to us, go ahead and click that button wherever you're listening to us at. So let's get into incident response plans.

I don't think it's a mystery that basically every business needs one, and it's actually one of the areas that when we are called in to work with a client, when we are first working with somebody, the incident response plans are a lot of times the catalyst. That's really where they want to start, where they had an incident and they need to get something together. What we see time and time and time again is that there's no incident response plan in place.

And even working with a lot of partners, when we get pulled in, there may be some sort of thought, but it normally just comes down to, we know we need something and we rely on maybe our IT, which there's definitely a lot of good IT partners out there. We know a lot of them. So that's in itself not a horrible strategy, but you definitely need to have something together so you're not trying to put the pieces together when you're experiencing an incident.

Now, I believe where it gets difficult and where things are stagnating is not just with the incident plans, but practically all information security policies is everybody tries to do everything. They try to get it perfect. And as a compliance officer, as much as it pains me to say this, rough is enough.

You can't steer a parked car. So do what you can do in the beginning, get a good foundation or at least a brainstorm, something on a napkin, and then you can build on that. It's much easier to build and improve than it is to create something from scratch.

So as we're taking our clients, as we're working with people through their policies or procedures or plans, I try to remember everybody, remind everybody, rough is enough. Get the core down. Just start getting everything out of your head.

And once you start doing that, more things will flow. But for the most part, get the foundation, get something put together, and then you'll come back and you'll continue to improve on it. Now the core areas of the incident response plan that everybody tries to figure out, and you actually should have all of these, but is your preparation.

And then how are you going to detect? And how are you going to do notifications of incidents and weaknesses? And then what are your steps going to be around containment and assessment and decision? And how are you going to evaluate them? And then how are you going to collect your evidence and manage that? And then what is your response and your recovery process going to look like? How are you going to do all of your external notifications? Identify all of the external parties? And then how are you going to manage your post-op learning, your lessons learned? And don't take this conversation the wrong way. All of that is important. It's all critical, especially if you're going for any certification.

That all needs to be there. These are things you should work through. But don't let what needs to ultimately be there keep you from getting something put together.

So here's where we're going to get into the critical areas, the things that you need to work on. Number one is create what we call an ICERT list. Your Information Security Incident Response Team.

This is going to be if you have nothing else done. If you have no other plans, no other strategies, no other processes, have your list of people that you will reach out to and will help you when you have a data incident. Now ones that we have on here are identifying who that lead person is going to be, the ICERT lead, who's going to be the champion, the quarterback when everything happens.

Identify that. You need to have somebody that's going to be able to direct everybody and keep things moving. You should also identify all of your technology leads, your IT director, all of the main technical personnel.

And if you can, if you've got different people that manage, say, email and manage networks and manage infrastructure, list all of them and have all of their emails and phone numbers. You also want to identify, and just going through a quick list here, this is not exhaustive, but identify a privacy officer who manages the privacy events. Who's going to advise you on that? Who's your HIPAA officer? Any regulatory and compliance advisors? You have legal counsel.

Who's that? Also, identify your local non-emergency law enforcement. What are their numbers? How do you reach out? Identify your local FBI field offices. Who's going to manage public relations? Who's going to talk to external authorities, officers, and such? You don't want that being everybody in your organization.

You want that to be very structured. Who's going to manage the insurance companies? List all of your insurance companies out. Your liability, errors and omissions, cyber, any other insurance that you have.

Make sure you have those policy numbers, everything all together. Who can help you with forensic analysis? A lot of times this will be dictated by your insurance, but it's good to have somebody listed there in case you're not engaging the insurance. And then, even in our policy document, we have other, other, other, other, other.

All of the other important people that, God forbid, it hits the fan, these are the people you're going to call. Now, this is the most important part that you can have because, at the very least, if you have this list and something happens, you can start picking up the phone and saying, what should we do? Tell me the next steps we need to take. And all of these subject matter experts, all of these different resources will be able to help carry you through it.

Now, for those of you that have put plans together or that are deep into compliance or that really understand all of the structure, you're probably screaming right now saying, oh, my God, it's going to be a mess. And I will absolutely agree that this, compared to having a good, structured, tested plan in place, this is going to be clunky. You're going to have a lot of frustration.

You're going to notice a lot of issues where things just aren't getting done quickly. But if you have nothing else but you have this list, you'll at least be able to clunk your way through an incident. You'll be able to have the resources you need to help get you through this.

And if nothing else, after you go through an incident, because you eventually will, this should give you a big list of things of, oh, my God, we need to tighten all these things up. The next thing, if you can put it together, is a communication list. Now, in our policy, we have a communication matrix.

It just lists all those different subject matter experts, basically the people on your ICERT list, your incident response team, and what training do they need. What will they need to be notified of? At what point do we need to bring these people in? What do we need to communicate with them? What do we need to share with them? And then, at initial detection, how do we communicate with these different parties? During the progression, as we're working through it, how do we need to communicate with them? And once we resolve everything, what do we need to communicate? And then, also, identify who's the primary communicator to each of these parties. Now, we have everybody on our ICERT list listed on here, and then we also have external resources.

We have clients. We have suppliers and vendors. And on our matrix, as an example for the clients, they don't really typically get too much notification until we know what's going on and until the end of the incident during the response.

Of course, that all depends on exactly the nature of the incident, the potential privacy impacts. There's a lot to unpack there, but this will help as a next step after you create your list, creating this matrix of who do we talk to? What do we need to communicate with them? Who, what, when, and where? This will help create a much more unified plan and still far away from having structured policies and procedures around each type of incident and doing different types of tests. But these two things right here are monumental.

The final thing, if you can put it together, is we have a little one pager that, one, we can train all of our employees on, but it also makes sure that we have all of our notification channels identified. So, what this identifies is what you need to report, incident, event, weakness. Make sure that you're safe before you do the reporting.

Don't try to report the building fire while you're still in the building. Definitely always remind people of those things. But then have the email that they can report an incident to.

Have a phone number. And if you have a website that you can do the reporting through, also list that as well. You also want to list any secondary or backup reporting channels.

Maybe your primary channel's offline. Maybe you want to be able to offer anonymous reporting capabilities. That's a really good thing to do, especially anywhere that whistleblower considerations are in place.

But if you can, identify those things. What I would also highly recommend doing, and it's its own section on our one pager, is providing people talking points of how to talk to authorities, how to talk to clients, media, anybody that calls in asking about an incident. You don't want your employees telling somebody, I'm sorry, we can't do something right now.

We just had a big data breach. It seems like all of our data got stolen. That's horrible, especially if it's to media, especially if it's to legal.

You want those conversations to be handled by the people that should be having them, typically your PR relations and or your legal counsel. Identify on your sheet how to handle that, what to say, and how to transfer it and who to transfer it to. Those are, I would say, the three biggest things that you can put together that will get you a pretty solid foundation for your incident response plan.

We can definitely, perhaps in future episodes here, talk about different aspects and taking that even further. But again, don't spin your wheels in the mud trying to get everything together and then not get anything put together. Final point is you also want to make sure to have backups for everything.

So emails, phones, don't rely on a single communication channel because if it goes down because of the incident, you may not be able to reach the people. So that is everything that I have today. Again, can't steer a parked car.

Don't get yourself stuck in the mud. Put together what you can and constantly improve, constantly be better. Thank you for listening and until next time.

Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk.

They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.