Last week, we spoke with industry experts about why every organization needs a solid cybersecurity incident response plan (CIRP). This week, we’re taking it a step further—breaking down the essential steps Managed Service Providers (MSPs) should follow to build a plan that not only responds to incidents but also helps prevent them from escalating in the first place.
Colton De Vos is a marketing specialist at Resolute Technology Solutions, a B2B IT company that helps businesses manage, improve, and secure their workplace technology. De Vos shared some steps and protocols learned building and testing security incident response plans for ourselves and our clients. These include:
- Clearly define team roles and responsibilities. Establishing a cross-functional team is vital to incident response success, tying in members from IT, legal, communications, and other business groups. Then, assign roles such as Incident Response lead, Communication Officer, HR/Legal Head, etc., with specific tasks as laid out in your plan.
- List objectives, scope, and scenarios. Clearly list the goals and objectives within the incident response plan, such as identifying, containing, eradicating, recovering, and documenting security incidents. Identify potential security incidents your business may face and classify them based on severity, impact, and likelihood to occur.
- Document your detection and response methods and communication strategy. Define how incidents will be detected and explored in more detail. This should include the technology, processes, and messaging required at each stage from the initial discovery of the incident, through deeper dive research, and eventually what is reported to each audience.
- Reporting and testing. Always document everything in detail. When an incident occurs, you want to be able to rely on your playbook explicitly. To this end, we always recommend running simulated incident response exercises for various scenarios that may impact your business. It is a good idea to run an exercise scenario for incidents that are most likely to occur and ones that would be most severe to your business.
Communication is a key part of incident response
Brian Keeter, a senior director at APCO Worldwide, a global consultancy and business advisory firm, is on the leadership team for cybersecurity resiliency and offered his thoughts on actionable steps that MSPs can take and implement.
Keeter explains that when a cyber incident occurs, authentic, empathetic, and timely communication with stakeholders is essential to restoring trust and maintaining the organization’s reputation. “Many incident response plans comprehensively address restoring and securing network operations but devote little attention to engaging stakeholders, such as customers, industry partners, board members, investors, and employees,” he states. He also notes that trust and reputation erode rapidly in the absence of authentic, empathetic, and timely communication.
Keeter shares how comprehensive cyber resiliency requires that incident response plans include the following to facilitate effective engagement with stakeholders:
- Decision-making protocols.
- Scenario planning.
- Holding statements for each scenario.
- Talking points for spokespersons and organization leadership.
- Rapid response mechanisms.
- Contact lists segmented by stakeholder groups.
- Media contact lists.
Planning and preparation
Dara Gibson, CEO of Cybersecurity Readiness Advisors, comments that organizations are constantly seeking the most effective incident response plan, and that preparation and planning will create a clear and well-defined process.
Establishing a dedicated cybersecurity incident response team (CIRT) with defined roles and responsibilities will enhance playbooks, plans, and simulations. “To minimize business disruption, organizations must prioritize thorough cybersecurity planning,” expresses Gibson.
Why MSPs can’t afford to skip a CIRT
Other experts attest to the value of a CIRT. Alex Markham, an independent cybersecurity consultant in Dallas, adds that having a CIRT in place enables the MSP to detect, respond to, and contain threats rapidly, reducing the risk of widespread damage.
Markham states that MSPs often work with clients in heavily regulated finance, healthcare, and critical infrastructure sectors.
“These industries typically have strict compliance requirements around data security and breach notification,” Markham says, noting that a well-structured CIRT helps the MSP meet these obligations by ensuring there are clear procedures for identifying and responding to incidents, preserving forensic evidence, and reporting to regulators or affected clients in a timely and accurate way. “This is not just a best practice—it’s often a contractual or legal necessity.”
Finally, beyond immediate response, a CIRT enables deeper analysis of incidents through forensics and post-incident reviews. This capability is crucial for understanding what went wrong during a cybersecurity incident and determining how to fix it. It also plays a key role in strengthening defenses to prevent similar attacks in the future. “The insights gained from incident analysis are invaluable for strengthening an organization’s overall security posture,” Markham notes. “They can also inform policy updates and serve as a foundation for training both staff and clients.”
A strong incident response plan is essential for MSPs. Not just to react, but to prepare, communicate effectively, and minimize impact. With defined roles, regular testing, and a dedicated response team, MSPs can better protect their clients and meet rising security expectations.
Photo: PreciousJ / Shutterstock
