As the cyber-threat landscape evolves and data breaches become more common, incident response becomes more critical than ever for any company. A CSIRT (Computer Security Incident Response Team) is a body of people assigned with the responsibility of responding to and minimizing the impact of any incidents that affect the organization. This team requires a strong and versatile leader.

Here we discuss the roles and competencies required within the role of the CSIRT Team Leader.

1. CSIRT team leaders are key players in cyber security

CSIRT team leaders are primarily involved in strategic decisions - responsible for the operation, budget and strategic direction within the company. They also give management advice on security issues, current threats and issues related to meeting compliance standards.

A strong working relationship between the team leader and the rest of the organization boosts security productivity. 

2. The team leader should collaborate closely with other business leaders

A company’s security should be a top priority and the head of information security should be a critical member of the executive team. As the role for information security develops, the team leader needs to work more closely with other leaders.


“If security is well done, nobody sees it, nobody values it. The board needs to value the work. Show leadership on how you are improving security” - Jim Byrge, Valvoline


Jim Byrge went so far as to appoint the company’s CISO as the CSIRT team leader. This allows for unrestricted and rapid communication all the way up to the board level. However, in many companies, the CISO has so many responsibilities that they would not have sufficient time to respond adequately to the demands of heading the CSIRT team.

3. Support the Program - executive level engagement

Knowing how to talk to the board is key - much of a team leader’s role involves management and advocating for security within company leadership. Educating, engaging and including other members of the CSIRT team who can attend these meetings should also be a consideration. The more the team leader can engage, the better prepared the company will be in the event of any incident.

The team leader is concerned with the continuously improving cyber resilience and therefore, the board needs to understand the value of the work in order to get the funding they need to support the infrastructure, software, headcount etc.

4. A solid technical foundation

The knowledge of the team leader will be far reaching. They understand how the cybersecurity threat landscape is evolving and how that could affect the security risks facing the business. Knowledge of data loss and fraud prevention, identity and access management, investigation and forensics and program management are also key requirements.

5. A strategic & tactical (CSIRT) team

CSIRT team leaders work proactively with their team, focussing on concrete prediction as well as preparation to defend against any attack. They are in charge of making preparations and, if and when necessary, implementing a predefined incident response plan.

The team leader is responsible for selecting a CSIRT team which answers the specific requirements of their employer, within the company’s budgetary constraints and the limited availability of experienced incident responders. They need to ensure  that the incident response team receives appropriate attention and training, a sustainable budget and has the authority to act quickly during a crisis. 

Cybersecurity is always changing and an incident response is a critical business process requiring a skilled, specialized workforce that possesses years of experience in addition to harmonized, repeatable and scalable processes. 

Managing up and down and down and across

A team leader's position is one of tremendous responsibility. However, it is important to consider that technical knowledge isn’t the only key requirement, and maybe not the most important. It involves management and advocating for security within company leadership. They are enforcers and enablers working to build a cyber security culture that contributes to business objectives. They need to speak the language of the business, empowering employees - this is an extremely pivotal role.

New call-to-action

New call-to-action