Organizations that survive the impacts of a cybersecurity attack are those that have plans in place long before an attacker can breach the cyber walls. 

Assessing the nature of their organization, the criticality of their processes and the resources at hand, leaders craft together response plans ahead of time so that the company can restore systems and data as soon as possible. If they fail to do so, the consequences can be immense.

Aside from operational downtime, the cost of disruption drives businesses to seek quick remediation. Multi-party ripple attacks can cost businesses on average $432,000, but some recovery price can reach over $163 million, according to estimates from RiskRecon and the Cyentia Institute. Ransomware attacks deliver significant losses for two-thirds of impacted businesses, and cyber insurance does not always cover the costs, another study found.

But every recovery plan has to start somewhere. Who is the very first phone call to? Who should be informed of what, and when? Is there an emergency procedure that should be started as soon as possible? 

We reached out to four IT execs who shared the very first step in their incident response plans. 

(The comments below have been lightly edited for length and clarity.)

Scott Howitt, SVP, Chief Information Officer at McAfee

---

"Reliance on framework-checkbox planning in a vacuum isn't sufficient to prepare you for what may come to pass."

Scott Howitt

SVP, Chief Information Officer at McAfee

---

Too often, CISOs pull out a framework and develop their plan based on that framework without engaging with their CFO, chief risk officer and business process leaders. It becomes a checkbox-compliance type of exercise when they really should be working to understand the key drivers of revenue within their organizations and focusing on how they can be protected. 

For instance, an organization's leading stakeholders may not understand that a ransomware attack could take down their systems and then halt the flow of revenues critical to their business. Success in incident management during an attack could come down simply to how successful you are in engaging and educating them so that they do understand.  

If you're in an industry like healthcare that is heavily reliant on IoT to treat patients, a data security issue can become even more of a life safety issue. If I'm worried about life safety issues, I want to have incident response planning conversations with business process stakeholders, the legal department and even the board. 

Every business should be having its own version of these discussions because the reliance on framework-checkbox planning in a vacuum isn't sufficient to prepare you for what may come to pass.

Chris Campbell, CIO at DeVry University

---

"This first step in your first incident response plan must take into consideration alignment among your leadership team."

Chris Campbell

CIO at DeVry University

In an effective incident response plan, the first step occurs before the incident ever happens. Preparation is and must be a priority when it comes to navigating cybersecurity attacks. Being prepared for what might (and probably will) happen is the best thing cybersecurity professionals can do.

At DeVry University, we've shifted our focus from containment of the attack to being prepared before the attack ever happens — having the right systems, personnel, and strategies in place. Each step of your incident response plan — identify, contain, and recover — is important. However, with the level of sophistication of cybercriminals, it is becoming more and more difficult to identify the event in the first place, requiring a heavier focus on preparation. 

This first step in your first incident response plan must take into consideration alignment among your leadership team. You need to know the three W's: who, what, and where. Who is in charge and who will do what in the event of a cybersecurity attack? 

Ariel Assaraf, CEO at Coralogix

---

"The first steps for an incident response plan is defining the responsibility model in your organization."

Ariel Assaraf

CEO at Coralogix

The first steps for an incident response plan is defining the responsibility model in your organization. For example, who are the focal points for each area of our system? Are we having a dedicated incident response team or are we having an on-call rotation for the entire engineering team? What SLA do we require per incident level?

Once that is in place, you can start thinking about building the right runbook standard, incident data flow and collaboration model, escalation levels, and customer communication when needed.

Reza Morakabati, CIO at Commvault

---

"Incident leaders, identified prior to an actual incident, must establish secure and reliable communication paths with the operations leads who are investigating and collecting data."

Reza Morakabati

CIO at Commvault

---

The critical first step in an incident is to establish a formal command and control structure to govern information gathering and sharing. This step involves quick action, teamwork, analysis and transparency. Core team members should include the information security lead, business continuity and disaster recovery lead or leads, IT operations leaders and engineering operations leaders. 

Incident leaders, identified prior to an actual incident, must establish secure and reliable communication paths with the operations leads who are investigating and collecting data. Operations leads must already have the tool sets they need to communicate, and should begin using them to share information real time.

The information security lead needs to assess severity collectively with the teams, based on scope of impact, and establish executive level communications on scope, severity, actions, and coordination of a companywide response, if needed.