The vitally important role of loggists in a cyber incident

Written by: Lisa Forte

Categorized: General

Who? Why?

When your crisis management team (CMT) meet they are usually gathered to handle a crisis. They have to operate in high pressure situations and all human beings can find the task of processing a lot of information, in a short amount of time and under a lot of pressure rather daunting. Naturally as human beings we aren’t great at it. With training and practice we get better, but reliable assistance in these situations is usually very welcome.  One vital support function for your CMT is the loggist.

Loggists record -or log -the information on behalf of the CMT and provide a go to function both during and following an incident. Loggists record vital information including -What DECISIONS were made and by whom, and what ACTIONS were taken and by whom.

Loggist training is crucial because this needs to be recorded quickly and accurately otherwise things will quickly spiral.

 Why do I need a log?

The log is important for a number of reasons.

  1. A Clear record. Firstly, it gives you a clear record of exactly what your CMT did, when they did it and why they did it. It will keep a record of what information was received and what further action was requested. This is valuable during the incident if you need to go back and recall what time you were informed of a significant fact. If you are asked “when did you find out your credit card data was exfiltrated?” Its not ideal to say… “some time around lunchtime on Wednesday? or was it Thursday?”  It can also be vital is also useful after the incident. For example if someone decides to take you to court, this could happen years later and your recollection of the event will have clouded.
  2. Post incident review. A log allows you, post incident, to review what has happened, what went well, what didn’t and how the entire process could be improved. This is a key part of resilience.
  3. Increase accountability. A log provides a record of what happened and allows big mistakes to be addressed and people held accountable should that be needed.

What does a loggist have to do?

During an incident the CMT will likely be receiving a lot of information from all parts of the organisation. There may even be external third parties involved too as well as regulators. The loggists will record all this information, time stamp when it was received, log decisions or actions and who owns those decisions as well as any further questions or requests the CMT may have.

This log needs to be usable during the incident too so it needs to be organised and categorised appropriately. This is usually done on a template so that it has been established and tested before an actual incident. This is why loggists need to receive training on what to log and how to log it.

Who should be trained to be a loggist?

Technically anybody in any role within your organisation can receive loggist training. What is more important are the personality traits of the individual. Not everyone can cope in a high pressure incident. They should be calm, have an eye for details and be excellent multitaskers. It is a responsibility that comes with a lot of trust placed on them so they need to be people you feel you can rely on.

It is useful to have several loggists trained because an incident can happen at any time so you want to ensure you have resilience here.

They should all have received structured loggist training, and of course should also be involved in every crisis exercise that the organisation runs. This gives them that crucial chance to practice their skills.

If you would like assistance in designing or delivering a focused and bespoke cyber exercise within your organisation, read our guide to exercising or email [email protected] for a free no commitment consultation with one of our leading exercise professionals. If you need loggist training or want help building a team of loggists within your organisation get in touch.

Related Content