Gartner Blog Network

On Importance of Incident Response

by Anton Chuvakin  |  July 15, 2013  |  5 Comments

“Invest in your incident response capabilities. Define and staff a process to quickly understand the scope and impact of a detected breach.“ (“Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence”)

Why do we say stuff like this?

Why do we say that, particularly, in a document about the future?

Why is the past also full of experts preaching, evangelizing, whining about the importance of quality incident response since… 1991 or so?

As a side node, NIST 800-3 “Establishing a Computer Security Incident Response Capability” was published in 1991 – you’d be able to find plenty of 2013-ready advice there [NIST does have a modern document on IR, 800-61rev2 that you should also check out when planning your incident response. 800-86 is another related background read].

All of this happens since organizations pay nowhere near enough attention to security incident response (IR). Thus, this is my short motivational post about the topic – I promise to keep it short so that I can focus on substance, not motivations.


  1. Prevention FAILS: just look at anti-virus tools and contrast their 99%+ deployment rates with known ongoing malware infection rates.
  2. Detection FAILS: just look at Verizon breach investigations report (where most of the incidents are not detected internally, ever or for years)
  3. What remains? INCIDENT RESPONSE!

Thus, IR is something that simply has to be there since this is where things will fall after all else fails – and fail it will (well, ideally, detection will work and you get to declare an incident on your own terms). Despite all the overwhelming evidence to the contrary, I still see organizations who think of preventative controls (firewalls, AV/EPP, WAF, etc) as “real” security measures, while monitoring, detective and response tools and practices are labeled “second class citizens.” Apart from saying that it is UTTERLY INSANE, what else I can add to motivate you to seriously focus on your incident response tools and practices?

Maybe the fact that companies that are “ahead of the curve” in security are doing it, while the laggards are barely waking up to it? What makes laggards not pay attention to IR? Obviously, heavy reliance on luck in their security planning is a contributing factor. Not paying attention to detecting makes them to never even know they are having an incident that need to respond to. Some think they are being “proactive” by their exclusive focus on preventative measures (in reality, this is being stupid, not being proactive).

By the way, you can be “proactive” and still focus on incident response: build more visibility (into traditional and cloud environments), get better using incident response tools and refine your response practices.

What is one thing you can do to move up from the very bottom? Create a reasonable (= not blindly copied off some website!) incident response plan! After all, some early research indicates that unplanned incidents end up being much more expensive than those you planned for….

There you have it – get motivated and make your incident response practices and tools better!

Posts related to the same research project:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: incident-response  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on On Importance of Incident Response

  1. Marcelo says:

    Great post. Couldn’t agree more.

  2. Marcelo says:

    Forgot to mention my somewhat old presentation about this same topic: . It’s in brazilian portuguese, but may be helpful! 🙂

  3. Thanks for the comment and the materials

  4. […] “You MUST have an incident response plan!!!” Thus screamed plenty of security incident response guidance, including some of my own. […]

  5. Dina says:

    Great Post!!! (As usual)

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.