Securing business data

White Paper Article

Whitepaper: Best Practices for Developing a Cyber Security Playbook

by User Not Found | 01 Sep 2017

by Paul Rose, CTO, CNS Group

Introduction to Cyber Security Playbooks

The majority of organisations plan for fires, floods, and other  incident that impact business resilience and careful planning for a cyber security incident shouldn’t be any different. Developing a Cyber Security Playbook, or Security Playbook, is one way to ensure all members of an organisation have a clear understanding of their roles and responsibilities regarding cyber security – before, during and after a security incident.

A Security Playbook also defines the Crisis Communications Team (CCT) and establishes the contact liaison between the board and the rest of the organisation.

Once the team has been put in place and is aware of their roles, key action steps as a result of a cyber security incident also need to be put in place. These will include:

  • Incident detection; notification, analysis and forensics

  • Response actions; containment, remediation and restoration

  • Communication; understand the lessons learned and manage media relations

There is no one-size fits all approach to Security Playbooks. Before defining the strategy right for your organisation, you should first have a clear understanding of what data is most important to protect.

Before an incident 

Crisis Communication Team

The CCT needs to be put in place prior to an incident occurring. Various levels of personnel and departments need to be involved to ensure company-wide understanding and participation. The team should include:


  • IT department

  • Media/PR

  • Legal counsel

  • Others

Incident response plan

Following the establishment of the CCT, an incident response plan needs to be implemented, including a step by step guide of key actions to be taken in the wake of an incident. Investing in a response plan and employee training is a worthwhile investment, which helps to improve your organisation’s Cyber Security Maturity. Practice drills and exercises are key, so that when an incident occurs, everyone is aware of the role they play and the impact can be minimised.

During an incident

As soon as an incident occurs, the incident response plan needs to be put into play. The goal is to handle the incident in a way that limits both damage and impact, both financially and to the reputation of the organisation. The CCT need to be communicating with the entire organisation, top-level down, so everyone is aware of what they need to be doing. The lessons and best practices learned from the drills and mitigation tactics from red team exercises need to be implemented.

The quicker and more effectively your reaction, the better the likelihood you have of reducing the impact and cost to the organisation.

After an incident

As the remediation element of the incident response reaches its final stages, damage control needs to begin. There will undoubtedly be consequences as a result of what’s happened, whether the impact is financial or reputational, this needs to be planned for and addressed in the right way for each business.

Once you’ve survived an incident, it’s time to review how successful the incident response strategy was. Weaknesses in the equipment, systems and procedures need to be addressed to determine where improvements need to be made. Use what has happened as a lesson and learn from mistakes. Determine key areas of investment and look at where you can improve your Cyber Security Maturity levels.

Lastly, remain vigilant. Another incident, whatever the type, is going to occur. The most important thing is to ensure your organisation is as prepared as possible to handle it.

Read the full paper: Whitepaper: Best Practices for Developing a Cyber Security Playbook

To find out how CNS Group can help your organisation to develop and implement a Cyber Security Playbook, or Incident Response Plan, click here.

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere