The issue of who should be charged with performing an organization’s incident response activities is critical. The question, to a large degree, may be answered by the available funding. Clearly, not every organization can afford to staff its own incident response team or contract with a commercial team. In such a case, incident response may be viewed as another “duty as assigned” task for the IT staff. If so, these fortunate staffers would be well-advised to get to know what resources are available to them from public teams such as the Carnegie Mellon CERT/CC, and to make the effort to keep up with changes in information protection technologies.

For a company or organization that has adequate budgetary resources available for an incident response program, however, it has been our experience that the most effective answer to the “Who should do it?” question has been a hybrid of all four of the types of teams discussed in this chapter. That is, the company should have at least one full-time employee whose principal responsibility is incident response coordination. That person should have on-demand staffing available by way of either internal staff augmentation and/or an external commercial team. Finally, the internal team, even if it is only one person, should know how to contact the vendor teams for all of the critical IT equipment it owns.