Security Operations, Business resilience

With the right approach to incident management, organizations can achieve the agility and resilience they need to best prepare for and withstand disruption.

A senior executive is traveling from New York to Paris to attend a conference. A power outage disrupts a manufacturer’s operations. A cyber attack exposes a retailer’s confidential customer data. These are just a few examples of the myriad risks and events enterprises face in today’s complex threat landscape. Whether a minor incident, massive crisis or something in between, without an effective incident management strategy, organizations are at risk of facing business disruption, which can impact their people and assets.

Here, we outline five best practices for incident management that are vital in ensuring organizations can prevent, mitigate and quickly recover from risks and events. 

No. 1: Plan and prepare

This step is critical. When businesses proactively plan for risks and events they are better prepared to manage incidents and take action. Response and recovery times are greatly improved because “the how and what to do,” if and when an incident occurs, have already been defined and agreed upon. 

That requires organizations to develop two key planning components: 1) an incident management framework and 2) an incident response plan. While inextricably linked, there is a distinction between the two. Frameworks outline how to best structure incident response operations, while response plans outline steps to take in the event of an incident. Organizations need to have both as incident management frameworks provide the what and incident response plans provide the how.

Organizations should ensure both their framework and response plan take into account all types of risks, both known and unknown. 

Known risks

These are the risks and events you know are going to—or have a high probability of—happening. Some you know of because your organization has planned them; others are known because they’re an annual or frequent occurrence. For example:

  • Executive travel, large company-wide or customer events hosted on- or off-site
  • Risks tied to seasonal weather like wildfires, winter storms and typhoons
  • Recurring or high-profile occurrences such as presidential elections, the World Economic Forum’s annual Davos meeting, and global sporting events like the FIFA World Cup™ and upcoming 2024 Summer Olympics 
  • Industry-specific risks like smash-and-grab crimes in retail, data breaches in healthcare and financial services and supply chain disruptions in manufacturing

Unknown risks

There will always be unknown risks and unforeseen events with which to contend, but that doesn’t preclude organizations from anticipating and planning for them. Oftentimes, organizations have an inkling as to what could be a potential risk or what type of event might disrupt business operations. For example: 

  • Power outages, mass transportation disruptions, street closures
  • Flight delays and cancellations
  • Natural disasters like earthquakes and extreme weather such as off-season, unexpected wildfires
  • Geopolitical events, especially those that affect employee mobility and disrupt supply chains
  • Financial instability and uncertainty at global or national level
2 Key Components of Incident Response Plans

No. 2: Detect and analyze risks and events

Now that you’ve identified known and unknown risks, and created a framework and plan for how to address them, be sure that you have the talent and tools in place to detect potential threats. Planning—no matter how comprehensive and extensive—can become futile if you’re not able to do so. 

The challenge is how to uncover threats in the time needed, and then quickly determine the potential impact on people, assets, locations and business operations. Leading security operations teams recognize this and, as such, embed the following into their security workflows:

  • Members of the incident response team who know the processes and how to action them
  • Automated risk detection tools and technology to increase threat visibility
  • Risk detection tech that alerts on threats and events in real time, accelerating responses
  • Geospatial tools and data to understand where risks are occurring and who and what are impacted
Early Warnings January 2022 Hunga Tonga-Hunga Ha`apai Volcano Eruption

No. 3: Communicate and collaborate across functions and the organization

Effective collaboration is critical in incident management. Make sure you and your team  prioritize communication and transparency, and are able to efficiently coordinate response protocols and critical information flows before, during and after an incident.

“Many of the organizations we work with find that using a centralized tool—where collaboration can occur quickly and efficiently—improves their ability to make operational and strategic decisions that protect their employees, business and brand,” said Rob Crowley, Dataminr Senior Director of Strategic Product.

Here, ease of use is crucial. Look for solutions that help you to: 

  • Simplify and digitize your risk management workflows
  • Initiate and manage risk events, including the ability to collaborate in real time across different teams (e.g. HR, cyber intelligence, facilities, executive protection, etc.) and throughout the company
  • Monitor status of all risk events via simple, short summaries
  • View all activities, event details, tasks and alerts in a single space
  • Clarify and assign roles and responsibilities, so every team member knows what they are responsible for at all times
The Importance of Scenario Planning

No. 4: Conduct post-incident evaluation

After an incident, it’s vital to understand how you performed—it helps determine the root cause and helps you to continuously optimize your playbooks and security workflow(s). 

Employ tools that record minute-by-minute activity logs so you can get a full picture of how well an incident was managed, study the do’s and don’ts that emerge, and share analyses with key stakeholders so that you’re more prepared for the next potential risk. This includes identifying which types of incidents are most frequent, or which of your locations are most at risk for smart resource allocation and continuous planning.

The National Institute of Standards and Technology’s (NIST) incident response framework includes key questions that you should ask yourself during the post-incident evaluation:

  • What happened, exactly, across the entire timeline (before and during the incident)?
  • What worked well? What didn’t work as well?
  • Which procedures failed or failed to scale to respond to the incident?
  • Which staff roles worked and were performed appropriately?
  • Were there any mistakes that impeded recovery?
  • What staff actions could be improved?
  • Which policies and procedures could be improved?
  • How could this incident have been avoided?

No. 5: Establish and maintain a strong risk culture

Organizations that have a strong, well-communicated and understood risk culture—one that includes all employees, across all levels and roles—are more likely to have successful incident management programs and practices.

What is Risk Culture

Here are five ways to promote and improve your business’ risk culture, according to RiskOptics:

  • Start from the top down. Leadership must lead by example and demonstrate desired risk-related behaviors and business decisions
  • Develop employee risk awareness training that is required and ongoing
    Increase risk visibility. Ensure employees understand their risk exposure and actions necessary to manage it
  • Align risk performance metrics with incentive systems
  • Evaluate and report progress with quantitative and qualitative metrics

While each organization may approach incident management differently to best meet their needs, the five best practices outlined above—when successfully implemented—will help enhance their existing security workflow and improve security posture. The result: enterprises can better mitigate risks and disruptions, strengthening their overall business resilience.

Learn More

See how organizations like yours use Dataminr Pulse for Corporate Security to effectively manage risks and events in one place—an end-to-end solution that enables security teams to better protect assets and manage disruptions, helping organizations become more resilient against today’s risk landscape. 

August 30, 2023
  • Security Operations
  • Business resilience
  • Corporate Security
  • Insight

Related resources


Dataminr Guide to Cyber-physical Security Convergence

Dive into this comprehensive guide to cyber-physical security convergence with definitions of cyber-physical risks, trends and tips for risk mitigation.


Innovate or Stagnate: Why CSOs Must Embrace an Innovation Mindset

Chief security officers are managing unprecedented levels of disruption—requiring them to not just adapt, but innovate, if they are to effectively safeguard their organization and strengthen resilience.