Optimizing Incident Response Through Secure Collaboration


Slow response to cyber threats puts your enterprise at risk. Properly training and integrating application developers through an intelligent technical collaboration platform can transform incident response.

Business and IT leaders know that cybersecurity incidents are a constant threat. But you might not be aware of just how long an incident response takes to identify, contain, and remediate an problem.

Nearly two-thirds of enterprises were breached between mid-2021 and mid-2022, and on average, they were breached three times, according to Forrester. They took a median of 27 days to identify and eradicate each attack and 10 more days to recover, at a mean cost of $2.4 million per breach.

With those facts in mind, it makes sense that anyone involved in responding to cyber incidents – or any kind of incident that affects business continuity – wants to narrow the window between event and resolution.

There are two highly effective ways to achieve that goal. The first is by properly training and closely involving your application developers in incident response. The second is by deploying a collaboration platform that’s purpose-built for technical and operational teams. Combined, these strategies accelerate escalations and resolutions, avoid serious costs and business disruptions, and deliver additional business benefits.

Looping in developers early and often

Organizations across industries rely on their application development teams for core technology capabilities and competitive differentiation. Modern, agile software development is built around DevSecOps – the integration of development, security, and operations.

This mindset extends to cyber incident response. Just as security must now be baked into code from Day One, properly trained developers are now integral to recovering from cyberattacks.

After all, incident response often involves remediating software vulnerabilities. Your security pros continually identify threats in your systems and in the broader community. But it’s your developers who patch the vulnerabilities in their code.

As a consequence, it’s imperative that your operations teams collaborate closely with your developers to quickly determine the fastest, most effective ways to respond to emerging incidents and proactively mitigate against future issues. That might require changing a configuration or rolling forward a software patch. It might necessitate temporarily shutting down a system or updating code. But if a cyber threat affects software that your enterprise maintains, your developers must be involved early and often.

The value of technical and operational collaboration

The most effective way to involve developers in incident response is through a collaboration platform specifically designed for technical and operational teams. That way, developer contributions aren’t ad hoc but rather become an integral part of incident response workflows.

A purpose-built collaboration platform can become your backbone for building and delivering software, operating and managing software, and responding to cyber incidents. A single platform gives visibility to all stakeholders, from security analysts to developers to the lines of business. The teams involved in incident response understand who’s doing what, and business decision-makers don’t have to wonder what technical teams are spending their time on.

Such visibility transforms incident response from a linear reaction into closed-loop reliability, in which business continuity progressively improves. Without a platform, your people juggle incident response across unstructured, disconnected systems. With a collaboration platform in place, teams have access to the right people, content, and tools in the right context. The result is situational awareness that leads to rapid, positive remediation outcomes.

Réseau de Transport d’Électricité (RTE), the organization that manages France’s power grid, uses such a collaboration platform to respond to outages and other incidents while meeting strict data and access control requirements.

RTE crisis management stakeholders – from technical staff to public relations to customer service – rely on the platform to collaborate on incident response in real time. Incident data remains centralized and protected in the collaboration platform, while operations staff in the field can send and receive notifications directly on their mobile devices. Teams have clear visibility to escalate, swarm on, and resolve incidents quickly and effectively.

Leveraging playbooks for response automation

Playbooks, sets of standardized operating procedures, can also help optimize incident response. The Cybersecurity and Infrastructure Security Agency (CISA), for instance, has issued recommended playbooks to help organizations shape their cyber operations.

Many enterprises maintain such security protocols in spreadsheets and other documents. But that means incident response remains a largely manual process hampered by omissions, human error, and multiple points of failure.

An effective collaboration platform will provide predefined yet customizable playbooks to automate incident response workflows. These built-in checklists guide team members through repeatable processes or take automated actions to achieve predictable outcomes. All stakeholders can see which playbooks are running, who’s responsible for each step, and where they are in the process. As your organization learns from past incidents, you can fine-tune the playbooks to continually improve response.

See also: SOAR Stands Alone Even When Integrated With Other Apps

Working across incident response phases

A purpose-built collaboration platform equips your enterprise to manage incident response across its key phases: monitoring, resolving, and improving.

For monitoring, first use the platform to define metrics for SLOs, SLIs, and SLAs – service-level objectives, indicators, and agreements. Next, incorporate relevant data from security information and event management (SiEM) and access logs to categorize, escalate, and address high-priority issues. Throughout this phase, the platform keeps stakeholders, from developers to business owners, informed through real-time communication.

For resolving, leverage playbooks to automate and accelerate collaboration to address repairs such as temporary system shutdowns, rollbacks of bad releases, patches, and changes to application code or infrastructure. Once you’ve completed the initial repair, perform root-cause analysis in a collaborative manner to drive improvements and avoid similar future incidents.

Finally, to continually improve, leverage the stored conversations and playbook actions to perform a constructive, blameless retrospective. By replaying incidents and reviewing timestamped activities, you identify what worked well and what did not. These learnings enable you to fine-tune roles, playbooks, and communication to improve future responses and stay ahead of threats.

Collaboration and technical talent

A technical and operational collaboration platform doesn’t just allow your enterprise to benefit from developer contributions to incident response. It also can help you attract and retain developer talent.

We recently surveyed more than 300 developers and technical team members on how they collaborate. Participants said their two toughest challenges were fragmented information (46% of respondents) and lack of tool integrations (45%). Their biggest productivity blockers were poor communication (29%) and lack of alignment around goals (22%).

Such collaboration disconnects can result in job dissatisfaction and workplace disengagement – major deterrents to your ability to attract and retain top talent. But with a collaboration platform, you gain clarity, speed, and efficiency that enable your technical teams to complete tasks faster and stay focused on satisfying work.

Ultimately, clarity, speed, and efficiency are the factors that empower your enterprise to achieve a successful incident response. Clarity lets all stakeholders know who’s in charge, who needs to be kept in the loop, and whether teams are meeting SLAs for remediation and recovery.

Speed is crucial because, in the face of a cyber threat or other disruption, you need to act fast to minimize any damage. That starts with instant alerts to team members and continues with automated playbooks that reduce manual steps and errors.

Finally, efficiency results from executing the best response to each incident. A collaboration platform equips the right developers and technical teams to take the right actions at the right times. They can make their contributions predictably, drive toward a common goal, successfully resolve the incident – and then get back to creating the software that runs your business.

Corey Hulen

About Corey Hulen

Corey Hulen is the CTO and Co-Founder of Mattermost, Inc. He previously founded Tempo AI, an artificial intelligence startup that originated at the Stanford Research Institute, where he served as an Entrepreneur-in-Residence. Tempo AI raised funding from Sierra Ventures and Relay Ventures and released a popular mobile smart calendaring virtual assistant before being bought by Salesforce. Earlier in his career, Corey served as engineering manager and architect for Microsoft Office in its enterprise software business across the SharePoint and Business Intelligence product lines. He was also an architect for VerticalNet, a publicly traded enterprise software company providing supply chain management solutions for the Global 2000. Corey is a graduate of California Polytechnic State University.

Leave a Reply

Your email address will not be published. Required fields are marked *