Are you considering applying for a new role in incident response? It’s always nice to look for the next step in our cybersecurity career, and of course, IR is one of the most “popular” roles in the industry. Possibly, you already read a few articles about how this role would improve your technical background, your experience, and your investigation skills, and all that is true. However, this article is not intended to talk about the cool stuff of working in IR, but the goal is to share the other side, what not everybody tells you.

IR is not for everyone. It is not about being smarter, more resilient, or mature; it is just that everyone is wired differently, that’s it.

Let’s be honest, before we all decided to apply for that cybersecurity role posted on LinkedIn, we thought about the opportunity, the salary, the ever-evolving industry, and how we would fight hackers and be the “good guys” who help companies to stay in business. You probably talked with the manager of the position during the interview, maybe a friend who has been working in the role for a couple of years, and read a few articles telling how nice it is to work in cybersecurity. Do not get me wrong, I love working in cybersecurity, but not every day is just another day in paradise.

Now, let’s talk about IR. The Cybersecurity Incident Response function is one of the most fundamental processes of the cybersecurity program. It is the process that needs to stand out when everything else fails and help organizations to remain in business after being targeted by an attacker. Ideally, organizations’ preventive controls should eliminate threats before they become security incidents. Remember that prevention is the first step of the incident response process, but different than everything else, IR is more focused on the response after a security incident is detected.

Before you click “Apply” to that incident response role on LinkedIn, let me share 3 things I learned working as an incident responder that I wish I knew before I signed up for the role.

Stress and Anxiety levels

Probably, this is obvious, but cybersecurity in general is stressful. After all, in nature, cybersecurity is protecting the organization against threat actors, which should be the main goal of every employee who works in cyber. But let me tell you, in IR, you need to add at least two levels of stress when you are working as a responder.  Think about it: today’s world is not about whether you’ll have a security incident or not, but when you are going to have a security incident. With the almost infinite number of security incidents reported every day, the pressure is not just about the incident itself, but companies are more scrutinized about how they respond to cybersecurity incidents, mitigate the threat, and get back to business. The goal is to get back the trust of the investors.

I always challenge my team not to handle a security alert as just “another alert” but as the alert that, if not handled properly, could overlook a security incident and make all of us have a bad day. Same as an escalation to IR, if one does not respond effectively and efficiently to a security incident, it can turn into a major security breach that will potentially damage the organization’s reputation. So, putting all these “pressure ingredients” together results in the perfect combination of major stress.

To be honest, the crude reality is that, if you have issues dealing with a high level of stress or anxiety, maybe IR is not for you. It is not about weakness or lack of resilience, but normally, people who work in these roles have their own stress cleaning procedure to keep their minds clean and ongoing, after all, stress is not a good advisor to make decisions.

I know about people requiring a medical check after an anxiety attack during a security incident. Think about it, depending on the security incident scope and complexity, you could end up working nonstop for several hours, the levels of stress and tension are on top, the hyperfocus keeps your brain processing a lot of information per minute, thinking about a lot of possibilities and variants of what could be happening and what the threat actor did or is actually doing: your brain does not stop spinning. It requires a lot of mental resilience and coaching to avoid burning your brain out in just a few hours during a security incident.

IR is not just a technical position

This is where things can be boring, especially if what you have in mind is just being in front of the keyboard, taking a case, jumping from here to there, running a few commands in several security tools, watching a black screen, or a fancy security tool dashboard. Well, that can still be true, but not all the time. When I interview people for the role, I always ask their perspective on how their day-to-day would look, and most of the time, what they say is like what I just described here. Again, it is not that it’s wrong, but IR more than a technical role.

I always say IR is very political too, and believe it or not, it is the most difficult part of the job to learn, because different than the technical side of the role, it will change dramatically from one company to another, so even experienced people in the role will have to relearn how politics work in the company if they are selected for the role. We also must consider how the cybersecurity program is designed and enforced in the specific organization because that will also vary. In organizations where cybersecurity is taken seriously and the risk tolerance is low, it could become easier for a security analyst to interview a user during and after a security incident; the tone can be more straightforward, and user education will be supported by senior leadership. But, unfortunately, the other way around is very common as well, so user education sessions could result in a “bad boy, don’t do it again” conversation that won’t be as effective in preventing a security incident recurrence.

You might be wondering now about what I meant by “user interviews” in my last paragraph. That’s right, very often the security analyst responding to a security incident could have difficult (but interesting) conversations with the end users involved in a security incident, especially when a few patterns are observed, and you are unsure how the incident happened, so you need to get additional feedback from the user to understand the root cause and implement controls. Believe me, some users and their managers can be super defensive when you are asking “what” and “when” questions as part of your investigation. In small organizations, these conversations are handled by the manager of the incident response team or equivalent, but in larger organizations, this is just unmanageable, and security analysts must have these conversations themselves.

The good side about learning and doing all this “politics” stuff is that soft skills must be continuously improved so the security analysts can communicate appropriately with non-technical people to explain what happened.

The attacker only needs to succeed once, and the defender only needs to fail once.

Millions of attacks are launched every day against thousands of organizations, most of which will not even pass the first defenses, and if so, detection and remediation will stop them before severe damage is done, but still, they only need to win once.

Companies spend thousands of dollars every year on their cybersecurity programs. Technical and non-technical controls are implemented and enforced every year, thousands of hours invested in cybersecurity trainings, security tools implementation and maintenance, designing and delivering cybersecurity awareness programs, etc. But it only takes one small failure for defenders to have a bad day.

This is frustrating. An organization’s reputation is heavily impacted after a security breach becomes public.  It is very easy to judge and comment when you are an outsider with limited or no context of what happened and how. Nobody will step forward and talk about the hundreds of battles that defenders win every day; all that matters is the small failure in the process that had a huge impact on investors’ confidence. This is something that defenders need to learn how to live with.

With all this said, despite the stress, the frustration, and the always challenging politics of working in the incident response team, this role is instrumental in getting field experience in cybersecurity. This is where theory turns into practice: the real world. Working on incident response is different than on any other role in Cyber, but all these challenges make the role rewarding. There is no gain with no pain, and for sure, I can guarantee you won’t get bored if you click “Apply”.