A quick Google search revealed the following: “The NIST [800-61] Revision 3 integrates incident response into broader cybersecurity risk management, emphasizing a strategic, ongoing, and business-aligned approach rather than a standalone technical lifecycle.”
This impacts the majority of CIRPs out there that are primarily “Technical / Tactical / Forensics” based. If you are a publicly traded company, this is also in line with the recent SEC guidance pertaining to your BOD Cyber Risk Oversight.
If you’re reading this from my website, this is what I mean by “Top Down”, “Risk Based”, & “Business Due Diligence”. If you are one of my many former CIRP clients, you will recognize these have been my guiding principles for my last 10 years writing CIRPs at Secureworks.
So, to the 100’s of you out there who were my previous clients at Secureworks; you are in good shape. This is manifested in your current CIRP as the “Risk Narrative” in Section 3 and the foundation of your CIRP. And if you were publicly traded, we most likely pulled much of that content from your latest Annual Report. This should put you at the same level of consciousness as your BOD. Refer to my post from 2024: ”https://www.linkedin.com/posts/neal-mccarthy-82a48a5_sec-bod-guidance-for-cisos-activity-7224152647774191616-OQR6”
However, there is some bad news: both the 800-61r3 (“R3”) and the ISO 27035 (-2:2023) have a very deliberate requirement for “Detective” controls to be included in the CIRP. I’ve always resisted this based on my experiences both managing an ISOC and Incident Response activities. My rationale has been that there is a distinct difference between Preventive, Detective, and Corrective controls. Obviously there is a “bridge” between the Detective function which then initiates the Corrective protocol (CIRP). But Detective specifics like SIEM correlation logic, ISOC runbooks, etc. are typically not captured in your average CIRP. These ISOC activities are daily functions and are significantly different from declaring a cyber incident and getting everybody worked up.
I also recognize that when your BOD performs their cyber risk oversight role (as they said they would in their Annual Report) and asks you to confirm that your IR processes (i.e. CIRP) are in line with industry frameworks/best practices, you need to have confidence in your affirmative response.
I’ve modified my CIRP to be fully compliant with both 800-61r3 & 27035-2:2023 (Section 6).
If you are a previous client of mine from Secureworks, I have Compliance Matrices for both the R3 & 27035 linking each of their requirements to the CIRP I previously provided you. I also have a handout with the changes you need to make to your CIRP to be compliant. Reach out to me, and I will send those over to you free of charge. Or drop $10K and come to one of the 3 day “Advanced Workshops” I am putting on with Colin Anderson (18 year CISO & 5x [global] CISO100 recipient), and I will update your CIRP while we ‘update’ your CISO skills to succeed in this new era of BOD cyber security oversight.
If you have a “standalone technical lifecycle” CIRP that proliferates the industry, I can help you.
If you are a “standalone technical lifecycle” CISO, Colin and I can help you.
And if you’re reading this from Europe, this is happening to you soon. We can help you as well.
Thanks for reading this far.
Next Post: The New Era of Board of Director Cybersecurity Oversight