E-Handbook: Incident response playbook in flux as services, tools arrive Article 1 of 3

IR playbook revisions portend complexities for infosec pros

The enterprise incident response "playbook" is getting a rewrite.

An IR playbook guides an enterprise security team's work, identifying triggering events and outlining best practices or regulatory requirements. Playbook revisions are essential to putting new technologies and services to use and staying ahead of evolving threats. Recently, automation and IR service providers have prompted enterprise security teams to rethink how they work, causing some team members to ponder whether their jobs could eventually be automated or outsourced.

Back in 2016, McKinsey & Company considered the likely effect of automation on corporate workforces. One not-too-surprising conclusion was "it's more technically feasible to automate predictable physical activities than unpredictable ones." And what, we might ask, could be more unpredictable than the job of an IT security pro? Everything about the occupation is constantly changing -- the tools, user needs and the nature of security threats. In May 2018, McKinsey took an in-depth look at specific sectors. What did they find? The occupations least susceptible to being supplanted by automation are those that rely on expertise in decision-making. Not only that, but McKinsey's experts predict a surge in demand for security pros with "advanced technological skills."

But even if your job is likely secure, the nature of your work will change. Your new, improved enterprise incident response playbook will soon include, if it doesn't already, guidelines for using automated technology. But no matter how sophisticated these IR tools get, human judgment will remain essential in the security field.

And even if your company signs on with an IR service provider, the guidance and knowledge of in-house security professionals will remain crucial. The best security pros have knowledge of their specific industry and their particular company's critical data and systems, not to mention a deep understanding of current threats. The incident response playbook, in other words, will remain in the hands of on-site security teams.