Tips to Improve Incident Response Skills

After spending the past year leading ransomware incident response, I wanted to share some insights that you should be thinking about in relation to your organization. 1. Leadership clarity is non-negotiable. Multiple executives giving competing directions doesn't just create confusion - it directly impacts your bottom line. Every minute of misaligned leadership translated into increased recovery costs and extended downtime. 2. Trust your IR experts. Yes, you know your environment inside and out. But incident response is their expertise. When you hire specialists, let them specialize. I've seen firsthand how second-guessing IR teams can derail recovery efforts. 3. Master the time paradox. Your success hinges on rapid containment while simultaneously extending threat actor negotiations. If your leadership and IR partnership aren't solid (points 1 & 2), this delicate balance falls apart. 4. Global password resets are deceptively complex. Every human account, service account, API key, and automated process needs rotation. Without robust asset management and IAM programs, this becomes a nightmare. You will discover dependencies that you didn't even know existed. 5. Visibility isn't just nice-to-have - it's survival. Modern security tools that provide comprehensive visibility across your environment aren't a luxury. This week reinforced that every blind spot extends your recovery time exponentially. 6. Data gaps become permanent mysteries. Without proper logging and monitoring, you might never uncover the initial access vector. It's sobering to realize that lack of visibility today means questions that can never be answered tomorrow. 7. Backup investment is incident insurance. Organizations regularly lose millions that could have been prevented with proper backup strategies. If you think good backups are expensive, wait until you see the cost of not having them. 8. Protect your team from burnout. Bring in additional help immediately - don't wait. Your core team needs to be there for the rebuild after the incident, and running them into the ground during response isn't worth it. Spending money on staff augmentation isn't just about handling the immediate crisis - it's about maintaining the institutional knowledge and expertise you'll need for recovery. Remember: the incident ends, but your team's journey continues long after. #Cybersecurity #IncidentResponse #CISO #RansomwareResponse #SecurityLeadership"

Incident response tabletops and free throw practice... I still remember my high school basketball coach making us shoot free throws at the worst possible time... you know, right after full-court sprints, dripping with sweat, legs like jelly, heart pounding in our ears. Why? Because that’s what the game demanded. You don't shoot free throws in a vacuum. They happen after you've been bodying up defenders, sprinting in transition, making split-second decisions and often after a bad call or a costly turnover. You’re not fresh. You’re not focused. You're human. And the shot still counts. Now think about the last time your organization ran an incident response tabletop exercise. Let me guess... it was scheduled weeks in advance, everyone showed up with a coffee and a charged laptop, ready to "war game" the scenario in a controlled, distraction-free environment. That’s not how incidents work. Just like those free throws in the fourth quarter, real incidents hit when you’re tired, stressed, and juggling a dozen priorities. You’re mid-release. The lead engineer is out sick. Legal is in a negotiation. The chaos isn’t the exception, it’s the context. But we practice incident response like it’s a boardroom drill. That’s a mismatch. It’s like practicing clutch free throws in a quiet gym after yoga. You might look great in training, but the game will break you. What if we rethought tabletops the way my coach rethought free throw practice? Surprise timing: Don’t schedule it. Drop the scenario into Slack during a sprint review. Or in the middle of the monthly all-hands. Or when the entire team is at the RSA conference... Inject fatigue: Run it during the tail-end of a product launch cycle. Make the team context-switch from a real-world task. Create tension: Add distractions. Make people use the actual comms channels they’d rely on. Introduce uncertainty: some information is incomplete; some actors go silent. Track response time, decision quality, communication clarity. Debrief like you just lost the game on a blown play. From my experience, practicing under pressure builds muscle memory. The goal isn’t to simulate a perfect response, it’s to train the reflexes, the communication patterns, the trust in each other when things are at their worst. That’s what makes the best teams win under pressure. So, the next time you're planning an IR tabletop, ask yourself... Are we shooting free throws after wind sprints? Or are we fooling ourselves into thinking that calm, quiet practice will prepare us for the real game? #ciso #IR #basketball #tabletop

I was part of the largest data breach in history. Here are 10 things I learned personally: (Context: I was one of the few security engineers who helped respond to the largest data breach announced at Yahoo back in 2016 timeframe with over a billion accounts affected) 1) Automation: Collect and analyze evidence as fast as possible, ideally automatically saves you days or weeks. Spend time building automation. 2) Playbooks: Well-tested processes are a lifesaver, especially under pressure. Remember to update your playbooks. 3) Communication: This is vital in case of incidents, especially having backup channels. Test these in advance, don't wait for incidents to set these up. 4) Teamwork: I loved working with my team. Find each other's strengths and weaknesses and assign work accordingly. 5) Coordination: Coordinate across the company with stakeholders, legal, PR, management etc. Keep people in the loop as necessary. 6) Expertise: Expertise in digital forensics, systems, incident response and the law shines. 7) Calmness: It takes skills to remain calm and respond when things are on fire. This has become second nature to me now. 8) Privacy: These are my learnings but as you can imagine, I cannot and do not share any sensitive, confidential or private information about this incident. 9) Luck: I was extremely lucky to learn from people and have opportunities to respond at such large scale. 10) Continuous improvement: Seek continuous improvement in your processes, automation, skills and communication. What have you learned from data breaches and incidents? P.S. If you found this helpful, hit that Follow button for more cybersecurity insights! 🔐 I post weekly content that helps professionals in the field. Plus, I mentor folks one-on-one. Check out the link in my profile to book a session! 💼 #Cybersecurity #CybersecurityMentorship

Crisis doesn’t create leaders—𝗶𝘁 𝗿𝗲𝘃𝗲𝗮𝗹𝘀 𝘁𝗵𝗲𝗺 When everything’s on fire, the best leaders don’t just fix the problem—they manage the panic. My years as an engineer and manager at Amazon taught me a thing or two (or a million?) about how to stay calm during high severity incidents. Here’s how to keep your cool when it feels like things are on fire: 1️⃣ 𝗙𝗼𝗰𝘂𝘀 𝗼𝗻 𝗙𝗮𝗰𝘁𝘀, 𝗡𝗼𝘁 𝗙𝗲𝗮𝗿: Ground decisions in data and resist the urge to react emotionally. Emotional reactions add fuel to the fire—facts will guide you out. 2️⃣ 𝗖𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗲 𝗖𝗹𝗲𝗮𝗿𝗹𝘆 & 𝗙𝗿𝗲𝗾𝘂𝗲𝗻𝘁𝗹𝘆: In times of crisis, silence breeds confusion. Keep your team updated with short, actionable updates to maintain clarity. Include timelines, customer impact, and next steps. 3️⃣ 𝗣𝗿𝗶𝗼𝗿𝗶𝘁𝗶𝘇𝗲 𝗥𝘂𝘁𝗵𝗹𝗲𝘀𝘀𝗹𝘆: Not everything can be solved at once. Identify the biggest impact areas and tackle them first. Write out a list of questions you need to answer, prioritize based on impact, and start from the top. 4️⃣ 𝗗𝗲𝗹𝗲𝗴𝗮𝘁𝗲: Don’t hesitate to engage and bring in additional support. Trust your team to handle key pieces of the incident. High-pressure moments are when autonomy shines. Leading through high-severity incidents isn't just about technical expertise—it's about maintaining composure under pressure. Calm leadership inspires trust, clarity, and results. Stay calm, lead strong, and watch your team follow suit. 𝗤𝘂𝗲𝘀𝘁𝗶𝗼𝗻: How do you think about leading thru stressful times? Tell me in the comments. ⤵ ---- ♻️ Repost and share these leadership tips ➕ Follow me, Ashley VanderWel, for more 📲 Book an anonymous coaching session