Whenever there's a threat to your business operation, both the IT and cybersecurity departments should work together. The key secret of fighting off cybercriminals effectively lies in responding timely. However, as the CEO and Founder of TAG Cyber Ed Amoroso shared, there's no straight answer to how exactly the two teams should cooperate. It simply depends on too many factors dictated by the inner workflow of the enterprise relying heavily on the CIO and CISO.
On top of that, apart from being a remarkably complex aspect of any business, effective cybersecurity measures require meticulous planning. While it’s impossible to prevent attacks, proper planning can significantly minimize the damage dealt. The best approach isn’t in understanding what role each department plays during the attack but in running a drill as the most likely attack scenario that can help coordinate the work of each team.


Every company has its own rules and protocols on how exactly the IT and cybersecurity departments operate during an attack. Simply put, in an event of an attack at a smaller business that has the same budget for both departments, the two teams are most likely to work closely together as one because that’s what they do. Therefore, the efficiency of having ‘one team’ is much higher.
However, if we look at federal government institutions that possess critical infrastructure, the security team only sets a policy that applies to cyber-attacks but doesn’t participate directly in the mitigation process. The Department of Homeland Security (DHS) as a federal agency doesn’t deal with attacks and the cleanup that follows itself and only takes care of policies, overlooking operations and training.
Amoroso explains it quite simply: if the risks of mistake that an attack-response team member can make is too high, for example, for nuclear power or other dangerous or sensitive products, the company won’t allow non-professionals to participate. Employees with solid skills and experience should take care of the most critical phases of the attack.
Other companies have 50/50 shared responsibilities between their IT and security teams and that's why things often get muddled.


The main responsibility of IT is backups vital for any enterprise. During an attack, the department should immediately check the availability and condition of backups hoping that none were affected nor deleted. After the backup report, the security team can figure out what part of the network wasn’t affected, assess the scale of the attack, and start the process of restoring data or loading up the latest clean backup.
Logs reconciliation is also the security team's responsibility which usually involves specific logs they monitor. The leader of NCC Group's North American Cyber Incident Response Team, Christina Barker, emphasizes that the team should look at the IT team logs as well because it may give a broader perspective on the attack. Monitoring is a very important part of attack prevention measures.

Who should be in charge?

Cyberattack is a very intense crisis that puts a lot of pressure on both IT and security leaders. As such, everyone should remember that it's an overall crisis management coordination and a bad time for fighting over the leading position. Ideally, there should be a response team that doesn’t involve or control the security department. The flow of the attack dictates the changes in different areas that can be controlled by the professionals in the IT or security departments.
As for big enterprises, a good option is to put someone else in charge of the whole operation, customize the plan of actions and outline specific roles of every member. This will help avoid disputes between not only the two departments but also insurance companies.

Planning and tabletop exercise

A simple plan discussion won’t be of much help during a real attack. The tabletop exercise is meant to prepare the response team and help set up the communication channels within two departments uniting them to work as one team to achieve success.
Apart from understanding their roles and overall algorithms of the process, members should be familiar with each other. Response team leaders highly recommend such preparation because communication and good teamwork are inseparable things.


Even though today many employees work remotely, it’s still worth the effort to do a tabletop exercise since you can't be certain that attacks won’t occur during this period. To fight off cyber criminals effectively, you should maintain 24/7 readiness whether your teams work remotely or at an office.