The Differing Layers of Cyber Incident Management

Cyber incident management is a specialised function of crisis management. As such, we look to existing frameworks for crisis management to help break down the layers of decision making required in a cyber incident. This article explores the distinct roles and responsibilities of operational teams, executive management, and the board during a cyber incident. The goal is to ensure coordinated, risk-informed responses that protect business continuity and stakeholder trust.

1. Operational Layer: The CSIRT/CRT Role
   1. Team Composition
   2. Key Responsibilities
2. Executive/Management Layer: The CMT/CIMT Role
   1. Decision-Making Focus
   2. Stakeholder Engagement
3. Board Layer: Strategic Oversight
   1. High-Impact Decisions
   2. Governance Under Pressure
4. How to Brief the Board During a Cyber Incident
   

Operational: The CSIRT/CRT Role

The operational team consists of the various leaders involved in the implementation of technical changes, often including representatives from various IT functions such as network, system administration, helpdesk, application, and of course security. It may also include team members from other areas which may be impacted as a result of a cyber incident, should an operational impact to these other areas be realized. For example, you may wish to include representatives from the finance department as part of the operational team, in the event a cyber incident causes an outage of finance systems.

The operational team is often referred to as the CSIRT (Cyber Security Incident Response Team) or CRT (Crisis Response Team).

The key focus for the operational team includes:
- Using detailed technical understanding of systems and processes to recommend solutions for containment, remediation, recovery, etc. to the management/executive team, including listing pros/cons of any put forward
- Implementation and oversight of technical changes and actions made to address a cyber security incident, including the relevant change control processes, testing, and monitoring
- Enacting business continuity processes to maintain function as best possible during a crisis

Executive/Management: The CMT/CIMT Role

The executive or management team consists of the organizational decision makers who are primarily concerned with risk, best thought of in terms of the CIA (Confidentiality, Integrity, Availability) triad. This will consist, typically, of department leads who hold responsibility for assessing and making decisions regarding risk pertaining to their particular area. This is usually comprised of C-suite level executives, such as the CISO (Chief Information Security Officer), CSO (Chief Strategy Officer), CFO (Chief Financial Officer), CLO (Chief Legal Officer), CTO (Chief Technology Officer), CPO (Chief People Officer), CEO (Chief Executive Officer) or their equivalents.

The executive/management team is often referred to as the CMT (Crisis Management Team) or CIMT (Cyber Incident Management Team).

The key focus for the executive/management team includes:
- Considering the recommendations of the operational team and translating these into actionable risk-based decisions for the overall business
- Making the relevant risk decisions as it pertains to the crisis, and making recommendations to the Board for those decisions which may have a significant impact towards the state of the business
- Managing the relevant stakeholder relationships with clients, vendors, regulators, and partner organisations during the crisis

Board:

The Board's role in a cyber incident is as a function, no different to the standard role of the board, however the timeframes in which consultation and decisions are to be made is greatly reduced. As an advisory group, the board may consist of many different parties with different specialisations, however standard decision-making protocol should be adhered to best as possible (i.e. decision-making quorums), with logistical support to ensure these can be made in the tighter timeframes.

The key focus for the board includes:
- Decision making for matters which will see a substantial impact towards the overall health and continuity of the business, such as consideration around a ransom payment, or drastic remediation actions that may result in substantial downtime
- Considering the recommendations of the executive/management team, and translating these into impartial decisions made for the overall benefit of the business

How to Brief the Board During a Cyber Incident

When briefing the Board, the goal is to enable informed, risk-aware decision-making under pressure. Here’s how an example on how to structure an effective briefing:

1. Start with a concise situational overview
• What happened?
• When was it detected?
• What systems or data are affected?
• Is the incident contained?
2. Outline the business impact
• Which services or operations are disrupted?
• Are there legal, regulatory, or contractual implications?
• What is the potential reputational fallout?
3. Present response options and risk trade-offs
• Include input from the executive/management team (CMT/CIMT).
• Highlight any decisions that require Board approval (e.g. threat actor engagement, public disclosure, major shutdowns).
• Provide a clear recommendation with rationale.
4. Clarify governance and compliance considerations
• Note any mandatory notifications or regulator engagements either already underway, or likely as a result of this incident.
5. Define next steps and decision timelines
• What decisions are needed now?
• What will be revisited in the next 24–48 hours?
• When is the next Board update scheduled?

Effective cyber incident management hinges on clearly defined roles, timely decision-making, and seamless coordination across operational, executive, and board levels. Each layer from the hands-on technical response of the CSIRT, to the risk-based decisions of the executive team, and the strategic oversight of the Board plays a vital role in safeguarding the organisation’s cyber resilience. By aligning these layers within a structured crisis management framework, organisations can respond with clarity, minimise disruption, and maintain trust with stakeholders during high-pressure cyber incidents.

If you would like to discuss on how we can prepare your board or your entire organisation for a cyber incident. Book a session with our DFIR Director.