Manuel Estévez GRC Manager

Cybersecurity: Why do they call it an incident when they (don't) mean crisis?

In the digital age, information security has become a fundamental pillar for the effective functioning of both public and private organizations.  In an interconnected and highly technology-dependent world, data has become one of the most valuable assets, raising the importance of protecting it against potential threats. For both public entities and companies, the integrity, confidentiality and availability of information are critical aspects that, in many cases, can determine their success or failure.

Organizations handle a large amount of sensitive data, ranging from financial and personal information of customers and citizens to commercial and strategic secrets. Ensuring the security of this data is therefore essential to preserve public trust, comply with legal regulations and maintain competitive advantage.

Effective risk management

Understanding the difference between a security incident and a crisis caused by a security incident is crucial for implementing effective risk management and response strategies

Despite having robust protective measures in place, it is important to recognise that no system is completely impenetrable and that security incidents are, to some extent, likely or even inevitable.  Threats are constantly evolving, and attackers are employing increasingly sophisticated techniques to overcome defences. In addition, factors such as human error, software flaws or obsolete devices can open up inadvertent security breaches.  Therefore, even if organisations implement preventive and detective measures, they must take a proactive stance and be prepared to respond effectively when a security incident occurs.

And security incidents, as is well known, can have devastating consequences, including loss of data, reputational damage, legal fines and significant recovery costs.

In this context, understanding the difference between a security incident and a crisis caused by a security incident is crucial for implementing effective risk management and response strategies.

Navigating turbulent waters:  Differentiating security incident management and crisis management

While a security incident can often be addressed with a structured technical approach, a crisis triggered by such an incident represents a scenario where the normal operation of the organisation is severely compromised, with significant impacts on its reputation, operations and ultimately its survival.  It is essential for organisations to be prepared for both scenarios and to have adequate action plans in place to mitigate the risks and minimise the consequences. 

Deepening and structuring the differences between the two scenarios:

Nature of the event Refers to any event that compromises the integrity, confidentiality or availability of information, but has not caused a significant impact on the organisation's operations Occurs when a security incident has serious repercussions that directly affect the organisation's operations, reputation and possibly its survival.
Impact They can be handled internally by incident response teams or information security departments without the need for significant intervention at the organisational level. They usually require an executive and organisational response, involving the mobilisation of additional resources and strategic decisions to mitigate the impact and restore operational normality.
Duration and persistence They can be resolved relatively quickly, once identified and responded to appropriately, with a relatively short recovery time. They can last for days, weeks or even months, especially if they involve extensive investigation, repairing significant damage and rebuilding the trust of others.
Reputation and trust It can affect the trust of third parties and the reputation of the organisation, it is possible to mitigate these impacts with a rapid and transparent response. It can have lasting effects on the reputation and trust of third parties, especially if the organisation's response is perceived as inadequate or negligent. Regaining lost confidence may require considerable and prolonged effort.


Understanding these differences between the two scenarios enables organisations:

  • Implement strategies of response strategies strategies: An incident requires a technical approach to contain the damage and restore systems. A crisis requires a broader response, including transparent communication, management of public perception and recovery of reputational impact.
  • Optimise the management of resource management: Responding to an incident can be relatively straightforward and resource-intensive. A crisis, on the other hand, requires greater mobilisation of resources and coordination of different teams.
  • Minimise the impact impact: A rapid and appropriate response to an incident can prevent it from turning into a crisis.

In summary, while incident management and crisis management are related, they are two distinct processes that require different approaches, tools and strategies. The key to an effective response is to understand the differences and to have pre-defined plans to manage both types of situations.

Prepare: The unwaivable responsibility of management

Management's responsibility for information security management is not limited to compliance with regulations or the implementation of technical measures.  It is an active and visible commitment that must permeate the entire organisational culture. Management must take the lead in creating an environment where safety is a priority for all employees. The leadership of the address is fundamental to creating a environment safe environment y trusted environment where the information is protected y the organisation can thrive.

When defining a strategy to prepare for an information security crisis, management should bear in mind:

  • Understanding of context: Understand the strategic importance of information security and the potential impacts a security crisis could have on the organisation, including financial loss, reputational damage and possible legal consequences.
  • Allocation of resources: ensure adequate allocation of financial, technological and human resources to establish and maintain robust information security programmes and to develop and execute crisis response plans.
  • Definition of roles y responsibilities: ensure that the roles and responsibilities of management, information security officers, incident response teams and other relevant actors during a security crisis are clearly defined.
  • Participation active y support: actively participate in promoting a culture of security throughout the organisation, supporting awareness and training efforts, and communicating the importance of information security at all levels.
  • Evaluation of risk assessment y planning strategic planning: regularly monitor and review information security risk assessments to identify new threats and vulnerabilities, and adjust the security strategy accordingly as part of the organisation's strategic planning.
  • Development of capacity building of response: invest in developing incident response capabilities, including conducting crisis simulation exercises and training response teams to ensure a rapid and effective response in the event of a security crisis.
  • Establishment   of   channels   of   communication:  create and maintain effective two-way communication channels between management, information security managers, incident response teams and other key stakeholders to facilitate a coordinated response during a security crisis.
  • Review y improvement continuous: conduct periodic reviews of the information security strategy and incident and crisis response plans, identifying areas for improvement and ensuring that the organisation is prepared to meet emerging challenges in the security landscape.
  • Support  y  continuity  of the  business continuity:  promote the implementation of data back-up measures and business continuity plans (in addition to technology recovery plans) to ensure the rapid recovery of critical processes and the continuity of business operations in the event of a crisis.
  • Commitment to to resilience resilience: foster a mindset of organisational resilience, recognising that information security crises can occur and preparing the organisation to respond effectively, recover and learn from the experience to further strengthen its security posture in the future.

Knowing and turning to those who know

The importance of having expert suppliers for the definition of the crisis management strategy and their involvement in the implementation of the plans when an information security crisis occurs cannot be underestimated. In an increasingly complex and threatening digital environment, having the specialised knowledge and experience of qualified professionals can make the difference between an effective response and a potential disaster.

IZERTIS' involvement can be invaluable in helping the organisation to coordinate the response, manage the situation effectively and minimise damage

IZERTIS, specialising in information security, not only has a deep understanding of the latest threats and security best practices, but also has access to advanced technologies and specialised tools that can help identify, mitigate and recover from security incidents faster and more efficiently.

By relying on IZERTIS for crisis management strategy definition, organisations can benefit from our specialist knowledge and external perspective, which can help identify potential gaps in the existing security posture and develop robust response plans tailored to the organisation's specific needs.

In addition, during an information security crisis, IZERTIS' involvement can be invaluable in helping the organisation to coordinate the response, manage the situation effectively and minimise damage. We can provide real-time advice and guidance, assist in the recovery of data and systems, and work with relevant authorities to investigate the incident and mitigate future risks.