Computer security incident responders can be found in large corporations and small businesses alike. They are needed in government entities and non-profits. They can be an integral part of an in-house security team or an independent consultant. Regardless of the organization, the incident responder, first and foremost, provides the first line of defense after an attack is suspected or has been detected.
Just as police and firefighters respond to immediate physical threats, the incident responder answers the call from computer defensive systems and wields the digital tools of a computer forensic analyst. They quickly respond to neutralize the immediate threat, bring order and control to the situation, and document the crisis for attribution and possible legal prosecution.
Like their physical security counterparts, incident responders often work irregular hours during a security incident and immediately after while providing investigative services. Individuals seeking a career in this specialty should expect to work for long and unpredictable periods, on occasion, that will be compensated by flex-time rules afterward.
Steps to becoming a computer security incident responder
As with most cybersecurity careers, there are multiple paths leading to the same position. Some general rules, however, apply universally. The job of an incident responder is rarely, if ever, an entry-level position.
At a minimum, employers will want a candidate to have worked several years as part of a security team in an organization similar to theirs. Familiarity and experience with security principles as well as defensive strategies, tactics, and methods comprise the entry point. Formal education requirements will vary widely from employer to employer. For those employers that generally value professional certifications, the same will apply for this role.
It is important to note that government entities and government contractors will often require that computer security incident responders obtain a security clearance.
1. Education While not always required, suggested education for someone seeking employment as a computer security incident responder includes obtaining one of the following college degrees: BS in computer science, BS in cybersecurity, or a BS in information technology. A master’s degree in one of these disciplines will further enhance career opportunities.
2. Career path Common career paths include two to three years working as a computer security expert, security administrator, network administrator, or system administrator. Determined by the specific needs of an employer and the vertical in which they operate, other work experience such as a forensic examiner or even offensive security experience may be expected.
3. Professional certifications A host of professional certifications exist that demonstrate the skills and knowledge necessary for success as an incident responder. Each employer will likely value these certs differently. They include:
- CERT-Certified Computer Security Incident Handler (CERT-CSIH)
- Certified Information Systems Security Professional (CISSP)
- Certified Ethical Hacker (CEH)
- Cisco Certified Network Associate (CCNA)
- Certified Computer Examiner (CCE)
- GIAC Certified Forensic Examiner (GCFE)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Certified Incident Handler (GCIH)
- GIAC Certified Intrusion Analyst (GCIA)
- Certified Computer Forensics Examiner (CCFE)
- Certified Penetration Tester (CPT)
- Certified Reverse Engineering Analyst (CREA)
4. Experience Work as an incident responder generally requires prior experience in computer investigations or computer forensics. Experience with computer forensic tools is desirable. Work experience that demonstrates an ability to write concise, easy to read, technical reports is a common requirement.
What is a computer security incident responder?
The computer security incident responder is the key role within an organization’s Computer Security Incident Response Team (CSIRT). This role is akin to that of any first responder. In the case of the CSIRT, they are the first to respond to a cybersecurity incident.
These incidents may, or may not, be actual cybersecurity breaches. Making that determination is a primary function of the team. A host of cyber detection tools monitor traffic and behavior patterns related to digital systems and assets. When an anomaly is detected and reported by these tools it is the job of the incident responder to quickly make an initial determination regarding the potential threat, conduct an investigation to support or modify the initial determination, and work to identify and mitigate any actual threat that may exist.
The role of an incident responder is reactionary in nature and can be very fast-paced during a security event. The urgency to identify and appropriately respond to what can sometimes be a virtual flood of automated alerts demands a person capable of working calmly in a high-pressure environment. After the initial attack has been identified and controlled it is the job of the incident responder to provide investigative services. These services are needed to deliver the details required for security and development teams to implement security controls that will prevent a similar attack in the future.
Computer security incident responder skills and experience
The specific skills required by any given employer will be largely dependant on the operating systems used, systems architecture, and other factors unique to them. Generally, the ability to demonstrate skills related to computer investigations and forensics will be needed. Familiarity with industry-standard forensic tools is important.
Communications skills, both verbal — in the midst of a high-pressure event — and written are critical. Written communication skills must include an ability to translate highly technical details into easily understood reports. Management teams and even law enforcement rely on reports from incident responders to gain a clear and accurate understanding of the situation.
Skills related to understanding legacy as well as cutting-edge attack vectors are essential. Other desirable skills include:
- Windows, UNIX and Linux operating systems
- Ability to code using C, C++, C#, Java, ASM, PHP, PERL
- TCP/IP-based network communications
- Computer hardware and software systems
- Operating system installation, patching, and configuration
- Backup and archiving technologies
- Web-based application security
- eDiscovery tools (NUIX, Relativity, Clearwell, and others)
- Forensic software applications (e.g. EnCase, FTK, Cellebrite, XRY, and more)
- Enterprise system monitoring tools and SIEMs
- Cloud computing
What do computer security incident responders do?
Often working within the security operations center (SOC), the primary responsibility of an incident responder is to rapidly investigate and document cybersecurity incidents within an organization. Once a possible incident has been identified through either automated or manual tools, the incident responder is tasked to investigate the event and mitigate potential damages. As a member of the CSIRT, the incident responder works closely with the enterprise’s security organization to categorize and classify attack methods and intended payloads in support of an effort to build in protection for further similar incidents.
Often called a CSIRT engineer or intrusion analyst, the incident responder uses various computer forensic tools to examine and analyze a myriad of digital anomalies that could potentially lead to the discovery of an attempted breach or the existence of an advanced persistent threat within the organization’s systems. They work as part of a cybersecurity investigative team.
An incident responder will often be called upon to write reports that document their findings relative to cybersecurity investigations. These reports must reflect a technical understanding of the subject incident and yet use language that can be digested by management or other non-technical readers. These reports can, on occasion, be used as evidence in the legal prosecution of hackers. An incident responder may be called upon to testify in court.
Computer security incident responder job description
The following are common tasks expected of an incident responder:
- Respond immediately to possible security breaches
- Be proficient with various computer forensic tools
- Obtain and maintain a security clearance
- Perform well in high-stress environments
- Stay abreast of cutting-edge attack vectors
- Actively monitor systems and networks for intrusions
- Identify security flaws and vulnerabilities
- Perform security audits, network forensics, and penetration testing
- Perform malware analysis and reverse engineering
- Develop a set of response procedures for security problems
- Establish internal and external protocols for communication during security incidents
- Produce detailed incident reports and technical briefs for management, administrators, and end-users
- Liaison with other cybersecurity and risk assessment professionals
Outlook for computer security incident responders
The demand for incident responders is expected to grow significantly in the foreseeable future. According to IDC, cybersecurity will be among the 20 most in-demand IT roles for the next decade. Incident response is one of the fastest-growing career segments within cybersecurity.
While some cybersecurity duties can be automated with new technology, the tasks of an incident responder are not in this class. All indications are that those individuals with the proper experience and skill set are expected to be employable for many years to come.
How much do computer security incident responders make?
The average annual salary for the computer security incident responders researched for this guide is $80,000. This amount will vary depending on location, required duties, education, professional certifications, and industry. An experienced security professional in the San Francisco Bay area can expect to command a salary in the neighborhood of $120,000.
incident responders often enjoy flex time. As an example, during a security event, an incident responder might need to work two back-to-back 18-hour shifts to deal with the situation. They might then have the rest of the week off.
For large corporations, telecommuting and remote work locations are often offered to enhance the benefits package for incident responders.