Looking for folks who have implemented Security Incident Response

Viper777 · ‎04-28-2025

We are looking for someone who has implemented Security Incident Response and could provide perspective on what the overhead looks like from an on-going support perspective.

Any comments here or willingness to connect would be appreciated.

AJ_UK · ‎05-12-2025

Hi @Viper777 ,

That's a very broad question, and so much depends on how your organisation would be intending to use SIR.

Structure-wise, Security Incidents are similar to ITIL incidents, and they have their own subset of 'Response Tasks' that can be used by a SOC, or whoever is going to manage Security Incidents through their lifecycle. Readership/Functionality of the SIR tables can locked down as much/as little as you require.

Overhead/On-going support - There will be published updates to implement if nothing else, and then so much depends on how much you tailor it to your organisation's requirements/what you integrate it with etc etc. The more you tailor it, the more overhead there is, but the more functionality/automation you gain.

PatrickMutchler · ‎05-27-2025

@Viper777 ,

We implemented SIR for a client and have been providing on-going support/maturation for years now. The overhead really depends on the organization. If the organization is satisfied with the product that was initially implemented, then there may not be too much to do on a daily or weekly basis. In that example, ongoing support is going to mainly be limited to updating plugins and making sure everything is running smoothly, unless they come to you with a feature or integration request on occasion.

If the organization is more involved (and hopefully it is), ongoing support should consist of a roadmap exercise where organization strategy is translated into a multi-year roadmap. That will then be the guiding light for the team that is supporting SIR from a ServiceNow development standpoint.

I hope that helps. I'm happy to connect if you want to chat further.