In an organization, who typically develops the plays in the playbook?

Plays in a cybersecurity playbook are typically developed by a team of incident response handlers. These professionals have the expertise to understand the intricacies of security incidents and the best ways to respond to them. They often work closely with security analysts, who may contribute insights based on their front-line experience in detecting and initially responding to incidents.

However, the development of plays is usually a collaborative effort that may include:

• SOC Security Analysts: They provide valuable input based on their day-to-day experience in monitoring and initial incident assessment.
• SOC Managers: They might oversee the development process to ensure that the plays align with the organization’s overall security posture and incident response strategy.
• Incident Response Handlers: They have hands-on experience in managing incidents and are typically responsible for drafting the detailed response procedures.
• IT Analysts: While they may not be the primary developers of the plays, they can offer technical insights, especially regarding the IT infrastructure’s capabilities and limitations.

In practice, the process is often interdisciplinary, with input from different departments to ensure comprehensive coverage of potential security scenarios.