The skills we look for in Cyber Security Incident Response

1.29.25

Yaniv Menasherov

We see many headlines about the evolving cyber security threat that affects all types of companies. Companies have a Cyber Security team that works across the business to help protect their customers, employees and brand. Cyber Security is structured into specialist areas; the Cyber Security Incident Response Team (CSIRT) have the challenging task of detecting, investigating and mitigating anything that looks like a serious cyber threat.

If you’re reading this blog, you might be aware that dedicated CSIRTs tend to be heavily involved in detecting and responding to attempts at Payment Card Information (PCI) or Personal Data (PD) theft, and block/remove ransomware like Gandcrab, which can prevent you from accessing your own data. Nowadays, there are even Bots that will try to copy information from your website.

Fundamentally, CSIRT is about investigating serious issues in a calm, methodical, logical and error free manner. It’s also about working as a member of an elite team with experts in infrastructure, data protection, operations and legal.

I’m leading Cyber security teams and always set the focus on evolving, improving our cyber security capabilities and getting talented team players who can help us deal with the challenging and continually evolving cyber-attack landscape.

So, I thought I would try and explain here what it is I look for when recruiting for members of our CSIRT. The first thing to note is that CSIRT is usually one out of several teams within Cyber Security and operates best when working collectively with security operations, security architecture to secure customers, employees and brand.

Here are the top 5 skills you should look for your CSIRT

  1. Highly analytical person, ability to understand data flows, access mechanisms and infer conclusions. We are looking for the right mindset and analytical ability much more than knowledge.

  2. The right mindset to think as a Cyber-criminal would do, be suspicious, try to prove the unobvious. Occasionally data presented in one system can be deceiving/tampered by an attacker – A responder would use all the tools in the reach to investigate.

  3. Organic team player – IR is a team effort by definition and not a ‘one man show’. Working well in fast changing environment with interfaces to both internal and external teams. If you ask yourself what is an ‘organic team’ – it’s where every team member knows each others’ weaknesses and strengths, uses their strengths to cover its own weaknesses and its strengths to cover others’ weakneses. That’s a synergy.

  4. Hands on – Coming across new systems is an everyday task which requires dynamic and adaptive person with a “can do” attitude to explore ways of getting the necessary data. The position is not suitable for people who are intimidated investigating on new systems/platforms or frequently working with new teams. Independent and self-motivated person will have the capability to overcome new challenges, often cases which no one internally have ever faced before.

  5. Discipline diligence and accuracy – Following procedures will reduce you TTR & TTM (time to respond, time to mitigate). Making mistakes is inevitable, admitting them with no delay or hesitation will reduce the impact.

I tend to structure our CSIRT into Analysts and Senior Analysts. Analysts will focus on detecting and responding to cyber-security incidents as well as performing digital forensic analysis. This role requires someone who is looking to grow skills and experience. You will have the opportunity to work with, and learn from, our Senior Analysts as well as Seniors in our other Cyber Security teams.

Senior Analysts will be the first to explore new attack vectors following known and often unknown threats which are yet to be discovered. They act as a spear edge when it comes to detecting and defining the right response to mitigate an attack. Mitigation is important, however attacks can mutate and reoccur. For this, the Seniors will define the critical prevention measures to make it extremely difficult for the cyber criminals.

CSIRT Analysts will need to work as one in a methodical way to reduce time-to-detect (TTD), time-to-respond (TTR) and time-to-mitigation (TTM). Devoted teamwork and synergy will continually and consistently reduce those.

When not responding to incidents, we work as a team to build in-house incident response capabilities, which may include; refining our investigation techniques; ensuring mitigations and preventive measures are being applied by the relevant teams within the business; developing cyber-response automation; improving our use of machine learning, authoring and adapting runbooks/playbooks; assessing the incident response maturity, and assisting in table-top cyber-scenario exercises.

CSIRT tech colleagues are usually leading the way on machine learning and by looking for ways to optimise and improve service, we have to ensure our Cyber Security team members have the opportunity to continually improve their skills. The Cyber department should be equipped with the latest cyber security controls and toolset to detect and respond to intrusions.

Above all, incident response analyst should be someone

  • Who is passionate about being part of a team on a mission to defend business operations and prevent cyber-attacks.

  • Who wishes to run thorough investigations of external cyber threats throughout the incident response (IR) cycle to protect customers, employees and brand.

  • Who can cross correlate information from different security controls and collaborate with relevant teams and third parties to run analysis and reach accurate findings.

  • Who can conduct internal investigations of insider threats, looking into attempts at complex fraud or criminal activity in conjunction with the Physical Security and Fraud teams, whilst also collecting digital evidence applicable for prosecution in the court of law.

If this interests you, then your place is with CSIRT!

Behaviors are important — I look for an enthusiastic team player with some relevant experience and familiarity with security fundamentals and computer networks. We’re after someone with the hunger to learn, pursue digital evidence, question the obvious and prove the unobvious — being comfortable with the uncomfortable.

Requirements such as Digital Forensics and Incident Response GIAC certifications such as GFCE, GCFA are an advantage. But lacking them should not disqualify a potential candidate. Potential and character are more important, the rest can be taught within few months. Help your team achieve it.

all media >>>>

our experts worked with...

let's talk.

Leave details and we will send you all the information in the fields you marked