Incident Management: new approaches to cyber incident handling

In recent years, cyber incident handling—more commonly referred to as Incident Management—has become a central theme in organizational security strategies.

The growing complexity of attacks, the increasing attack surface, and the evolution of intrusion techniques have made it necessary to adopt innovative and structured approaches. It is no longer just about reacting to an event, but about building an ecosystem of prevention, detection, and rapid, effective response.

New Approaches to Incident Management

Managing a cyber incident is not something that can be improvised; it requires preparation and the ability to respond quickly in order to identify, resolve, and mitigate the consequences of the incident.

Originally, Incident Management was a reactive process: the organization identified a problem and tried to solve it as quickly as possible. Today, however, the paradigm has shifted toward a proactive and predictive logic.

The new vision is based on the integration of threat intelligence, which makes it possible to analyze emerging threats before they materialize, and on the use of automation and orchestration technologies that drastically reduce response times.

At the same time, models such as Zero Trust Security are spreading—based on the idea that no user or device can be considered trustworthy by default—as well as behavioral analysis (UEBA), which can detect anomalous activities that may indicate an ongoing attack.

Incident response plans typically involve a structured, repeatable process that helps organizations manage and mitigate cybersecurity incidents through six phases: governance, identification, and protection, which help organizations prevent certain incidents, prepare to manage incidents that occur, reduce the impact of such incidents, and improve incident response and cybersecurity risk management practices based on lessons learned; and detection, response, and recovery, which help organizations discover, manage, prioritize, contain, eliminate, and recover from cybersecurity incidents, as well as carry out reporting, notification, and other incident-related communications.

In this scenario, the goal is not only to solve the problem but to ensure resilience and operational continuity, minimizing the impact on the organization.

Key steps in incident security

An effective incident management process follows a series of well-defined activities, most commonly grouped together in an incident response lifecycle, which consists of three macro-phases that encompass all the steps necessary to detect, contain, and correct any risks to your cyber defenses:

Predictive/proactive phase – Aimed at analyzing the risks that can lead to cyber incidents, the causes, and solutions to mitigate the effects.

Reactive phase – The methods, roles, and actions that must lead to the resolution of cyber incidents are defined.

Corrective/improvement phase – Incidents are examined in a “lessons learned” approach and suitable solutions are studied to prevent them from happening again.

This continuous cycle, in addition to marking the security steps, ensures that every incident becomes a learning opportunity.

Incident Management and Compliance

European legislators have introduced the obligation to adopt plans for managing cybersecurity incidents, in line with established best practices and industry certifications. Below are some of the most significant regulatory updates related to the cybersecurity landscape:

NIS2 Directive – for Important and Essential Entities, and Digital Service Providers

The Directive mandates the adoption of appropriate technical and organizational measures to prevent and manage incidents, the notification of significant incidents within 24 hours of detection (with a complete report within 72 hours), the maintenance of incident and corrective action logs, the appointment of a cybersecurity officer, and coordination with the national CSIRT.

GDPR – in Case of Data Breach

Organizations are required to notify the Data Protection Authority within 72 hours. If the risk is deemed high, affected individuals must also be informed. Furthermore, every incident and the related mitigation measures must be properly documented.

Other Sector Regulations

Several other regulatory updates have been introduced, including the DORA Regulation (Digital Operational Resilience Act), which focuses on the banking sector, as well as the need to comply with international certifications and best practices such as ISO/IEC 27001:2022, ISO/IEC 27035, NIST SP 800-61 v.2, ACN Guidelines, AgID Guidelines, and more.

Tools and technologies most used

Incident Management relies on a wide range of supporting technologies. Among the most common are SIEM systems, used to collect and correlate logs from different sources, and SOAR platforms, which allow orchestration and automation of much of the response activities.

Alongside these solutions, EDR and XDR tools provide advanced monitoring of endpoints and cloud environments, while Threat Intelligence platforms aggregate valuable information to recognize indicators of compromise and attack patterns.

Digital forensics technologies also play a key role in analyzing intrusions in depth, and multi-cloud security solutions have become indispensable for today’s hybrid infrastructures.

Integrating these tools into a coherent ecosystem provides a comprehensive and reactive view of the risk landscape.

Skills required of security personnel

Although automation plays an increasingly important role, the human factor remains decisive, making security awareness essential.

Professionals tasked with managing cyber incidents must possess advanced technical skills, from knowledge of networks and operating systems to malware analysis and digital investigations.

They must also be able to interpret large volumes of data generated by tools such as SIEM and EDR and turn them into operational decisions.

However, technical skills alone are not enough: soft skills such as effective communication, problem solving, and stress management are equally critical for effective collaboration in crisis contexts.

Continuous training is essential, as threats evolve rapidly, along with the knowledge of regulations and security standards, which provide a framework to ensure compliance.

Telsy’s Solutions for Incident Management

In this context, Telsy positions itself as a strategic partner for organizations seeking to strengthen their security posture. Telsy’s Incident Management services provide comprehensive coverage of the entire incident life cycle, structured into four main areas of intervention:

Incident Management Policy

Development of internal procedures for incident handling, enabling organizations to establish the processes, measures, and tools needed to prevent events and be prepared to manage incidents before they occur.

Incident Notification Support

Direct contact with Telsy’s Incident Response Team to receive 24/7 operational support in responding to cybersecurity incidents and/or data breaches. The service assists clients in implementing the necessary countermeasures to resolve crises and restore business continuity.

Incident Response

Consulting support before and after an incident to ensure proper communication with authorities as required by regulations, including the provision of operational guidelines and assistance in preparing and understanding official notifications.

Reputational Management

Advisory services for managing strategic crisis communications (internal, external, and high-profile), aimed at preventing, mitigating, and remedying reputational and relational damage resulting from a cyber incident.

Telsy also provides dedicated Incident Response teams ready to intervene in case of compromise, performing containment, forensic analysis, and remediation activities.

Learn more about Telsy’s Incident Management solutions, or contact us at contact@telsy.it