Home » Topics » Cybersecurity » Bridging the IT and security team divide for effective incident response

Bridging the IT and security team divide for effective incident response

To build an effective incident response strategy, identifying a shared vision is essential

Avatar photoby James Blake

Greater alignment between IT and security teams is crucial for effective incident response – here's how to lay down the foundations

Imagine a large financial institution falling victim to a ransomware incident. Critical databases are hacked then encrypted, and the breach spreads rapidly across the network. As the IT team scrambles to restore systems and keep services running, the security team must contain the spread and trace the entry point.

Without time for a proper investigation, recovery happens too fast. The systems are back but the organisation remains exposed as it has failed to fix the underlying problems. The vulnerabilities remain, controls may still be weak, and persistent threats go undetected, all of which leave them open to be exploited again.

Unfortunately, this scenario is all too common. Many organisations rightly establish distinct IT and security roles and overlook the need for these teams to collaborate in a crisis. The result? Silos that leave businesses vulnerable.

In fact, our research found that 31 per cent of IT and security professionals consider collaboration between their IT and security teams “weak,” while 42 per cent say poor coordination increases their exposure to attacks. Worse still, more than a third (40 per cent) report that, despite rising cyber threats, teamwork between IT and security continues to stagnate – or even decline.

It’s important to create distinction between the teams. For example, security pros must remain focused on protecting systems and networks from unauthorised access as well as investigating and responding to incidents. Meanwhile, IT should be responsible for maintaining everyday operations – keeping the lights on, so to speak.

However, both functions are critical to resilience. Greater alignment between these teams is crucial.

So, how can businesses foster stronger alignment between IT and security teams – ensuring that when a cyberattack hits, both teams work together seamlessly to minimise disruption and accelerate recovery?

Building the foundations for effective response

When building your incident response strategy, you should start by defining key responsibilities. For IT, this means a focus on remediation and ensuring business continuity. This includes managing the response to system outages, restoring critical infrastructure (when appropriate), re-setting authentication tokens and passwords, deleting malicious accounts, and installing software patches. Security teams, meanwhile, should focus on detecting the breach, containing its spread, and identifying the entry point.

Most importantly, teams must agree on policies for governance and incident escalation – and ensure they’re put into practice from the outset. For example, communication is one of the first things to break down in a crisis. That’s why it’s critical to establish communication protocols and capabilities as the latter may have been impacted too. How will you talk? How often? What happens when a major decision needs to be made? Do you have a joint workflow for an attack?

Here, documentation is your friend. Start with a living, shared document outlining responsibilities, key contacts, escalation paths, and recovery strategies. This will be the vital foundations needed to move quickly and act methodically, even when emotions are running high.

Developing a ‘shared responsibility model’

Let’s go back to the hypothetical crisis for a moment. Ideally, both teams would have already created a ‘shared responsibility model’. This is a framework that establishes clear, step-by-step procedures for responding to cyberattacks.

As part of this, businesses should consider setting up a Clean Room – an isolated, secure environment where IT and security can jointly run an investigation and remediation without the risk of reinfection. This controlled space would allow teams to analyse the attack, build a timeline, and develop a recovery plan that removes the threat and prevents reinfection.

Once systems are confirmed as clean and data recovered, it can be moved to a staging area for testing before being reintroduced into live systems. This may take longer than stakeholders would like, but the cost of improper recovery could ultimately result in systems being hit again and taken down for longer.

Building mutual understanding

One reason IT and security teams end up siloed is the healthy competitiveness that often exists between them. IT wants to innovate, while security wants to lock things down. These teams are made up from brilliant minds. However, faced with the pressure of a crisis, they might hesitate to admit they feel out of control, simmering issues may come to a head, or they may become so fixated on solving the issue that they fail to update others.

To build an effective incident response strategy, identifying a shared vision is essential. Here, leadership should host joint workshops where teams learn more about each other and share ideas about embedding security into system architecture. These sessions should also simulate real-world crises, so that each team is familiar with how their roles intersect during a high-pressure situation and feel comfortable when an actual crisis arises.

Recovering once, not repeatedly

Above all, an effective incident response strategy isn’t just about reducing friction –it’s about building resilience. But how do you assess readiness?

The quick answer is to measure the effectiveness of your shared responsibility model. There are the classic measures, like Mean Time to Detect,  Mean Time to Respond, and Mean Time to Remediate to ensure teams are working towards something, but for me, it’s about assessing readiness through structured activities.

By simulating realistic scenarios – whether it’s ransomware incidents or malware attacks – those in leadership positions can directly test and measure the incident response plan so that is becomes an ingrained process. Throw in curveballs when needed, and use these exercises to identify gaps in processes, tools, or communication.

There’s a world of issues to uncover disconnected tools and systems; a lack of automation that could speed up response times; and excessive documentation requirements (coming from a man who loves a shared doc). But the key takeaway is this: create shared purpose, simplify escalation paths by giving frontline responders clear roles, automate what you can, and ensure communications channels are streamlined and always available.

If you can overcome occupational silos and get security and IT working together, most issues will melt away. And when the next crisis arises, don’t forget the immortal words of Douglas Adams: “Don’t panic.”

James Blake is Vice President of Cyber Resiliency Strategy at Cohesity.

See also

Why shutting down systems can backfire during a cyber attack – Cyber attacks are no longer an abstract threat, but rather, a reality that businesses of all sizes consistently contend with

Related Topics

Business Leadership
Cybersecurity

Related Stories

Cyber Innovation

Why shutting down systems can backfire during a cyber attack

Cybersecurity

Why banning ransomware payments is only a limited fix

JumpCloud's Chief ISO explains how ransomware attacks are still a threat despite proposed legislation and discusses some key defence strategies

Cybersecurity

The risks of supply chain cyberattacks on your organisation

Nick Martindale explores the risks to organisations associated with supply chain cyberattacks and what you should do about it

Cybersecurity

Forcing the SOC to change its approach to detection

Kennet Harpsøe explains the problem with Security Operations Center (SOC) detection and the solution that could make a real difference