How to structure your CSIRT or SOC team

Organizations must consider their wider security requirements before deciding if they require a CSIRT, a SOC or both.

Pronounced see-sirt, a computer security incident response team (CSIRT) performs three main tasks: (1) receives information on a security breach, (2) analyses it and (3) responds to the sender. A sock, on the other hand, is a security operations center (SOC). Its job is to detect and prevent cyberattacks on an organization.

CSIRTs are usually horizontal across an organization and often involve personnel other than the security team, including public relations, marketing, customer support and management. On the other hand, a SOC is a centralized, standalone function/department. If we consider SOCs as active security practitioners, then we might say CSIRTs are reactive.

In this article, we present details on both to help organizations better understand the relevance of each to their business and decide if they need one or the other in place, or both.

What is a CSIRT?

CSIRTs exist in several forms. They can be ad hoc groups who come together when a security incident occurs, drawing membership from an organization’s various functions as required to respond to the incident. They can also be more established groups, with a recognized membership

Read More: