At Vanta, our goal is to nurture a positive security culture in everything we do—which is especially critical given that helping our customers improve their security and compliance posture starts with our own. Employees are the key to our security resilience, so we strive to build and support a strong culture of incident response in tandem.
Here’s what that means to us at Vanta:
To build and cultivate an active culture of incident response, let’s start with designing the program. First, you’ll want to think about your tooling (hint: we use incident.io!). Another critical component is recruiting, training, and supporting teammates who can help lead incidents—it’s helpful to mix both brand-new folks who bring new perspectives and long-time incident commanders who bring a wealth of past experience.
This includes deciding and documenting what it means to be an incident commander. Help your incident commanders understand their role and ensure they’re consistent with a clear list of responsibilities and playbooks. It also helps to build out a lightweight training program for your incident commanders—including resources, timelines, expectations, and a structure for shadowing and reverse-shadowing to ensure they have feedback mechanisms built in before they’re ready to operate solo.
To foster an environment where your incident commanders are motivated to help mature your program, invite them to contribute feedback, whether asynchronously or through quick debriefs when needed. This supports a healthy environment where anyone can contribute their feedback, knowledge, and perspectives regardless of role or seniority. Examples of contributions could include things like refining severity levels and criteria, proposing revised steps, and streamlining processes.
When structuring rotations, keep an eye out for the overall energy and scalability of your incident responders; after all, they have quite a bit on their plates already. As you grow and scale your rotation, assess your overall bench strength. Consider training new incident commanders, supporting existing team members, and potentially even designing tiers of responders who are able to serve as back-up to one another and be paged for incidents of different severity, domains, and complexity.
Next, let’s talk about the launch phase for your program. Keep in mind that culture isn’t built overnight with only one action or communication. Nurturing strong cultures of security and incident response requires motivating and enabling your employees with every policy, communication, behavior, and interaction they have with your security and incident response teams.
Here are our suggestions for how to approach this:
Incidents can be stressful, so it helps to view incident response as a company muscle to exercise and strengthen over time. To know what to improve, we suggest measuring your overall incident response culture in ways that are meaningful to your organization. To ensure employees know how to report a potential incident, start by looking at the number of internal searches and hits and keywords for incident response documentation, such as in a centralized wiki or hub.
To understand your current culture around filing incidents, look at incidents filed by severity level and any patterns with incident reporting—such as where incidents were filed and by which teams and orgs. For instance, how many filed incidents were closed as a false positive? If that number is zero, it may be a symptom that your employees aren't erring on the side of filing when in doubt.
And lastly, to help foster an environment where all employees can share their feedback, take a look at their questions, suggestions, and feedback around incident response for the depth of their engagement, the percentage of suggestions that have been implemented, and more. A lightweight internal survey can also help reveal shared observations and actionable recommendations for your overall program.
To close, remember that building a culture of incident response, like security, takes ongoing support and investment—we’re never quite finished, and we’ll continue learning from one another along the way.
Vanta is trusted for continuous security monitoring and compliance by thousands of established companies. Learn more about how Vanta can revolutionize your security.
Enter your details to receive our monthly newsletter, filled with incident related insights to help you in your day-to-day!
Using DORA metrics deployment frequency to measure your DevOps team's ability to deliver customer value
By using DORA's deployment frequency metric, organizations can improve customer impact and product reliablity.
Luis Gonzalez
Learning from incidents is not the goal
Learning from incidents is a hot topic within the software industry, but the goal is not for organisations to learn from incidents: it’s for them to be better, more successful businesses.
Chris Evans
Trust shouldn’t start at zero
Whenever someone new joins your team, folks tend to default to a trust level of zero. Here's why that's a big mistake.
Pete Hamilton