As you may have come to realise, it's not a matter of if a data breach will occur, but when, and it comes as no surprise that it will probably be at the worst time and become one of the most stressful moments of your career.
Breaches happen through the places you were not looking, so you are going to have your deductive skills tested to the limit. If you are lucky, you will be able to infer what happened through the remaining audit artefacts on your network.
If your experience at the job has been constrained to sitting quietly at your desk doing 'your thing', you are going to have more exposure to the executive leadership of your enterprise than you ever imagined. They are going to require fast and decisive answers and you will be asked to make quick assessments of the information you have available and be held accountable for them afterwards.
Your first responsibility will be to create a complete and detailed timeline. This information is what is required for legal, PR and the board members - it should be the primary deliverable that all other workflow is derived around.
Expect to receive constant requests for updated status, but don't let updating too often get in the way of work. Do not be afraid to push back and give yourself time to report more accurate findings. Make it clear that you can either deliver inaccurate information now, or accurate information in another hour. Your job is to enable informed executive decisions at this point, so set expectations that this is your goal clearly.
No matter what field you work in during times of crisis you will see everyone's true colours brought forth, not least of which will be your own. Things are going to get a little crazy, requests become orders and niceties fall to the wayside. In times of crisis, sanity becomes more important than pleasantries.
If public disclosure of your breach is required, know that it is a double-edged sword. You may well experience great catharsis in knowing that the truth is finally out there, but you must come to terms beforehand that the PR spin engine will be operating at full pace and you will be under a mountain of non-disclosure.
As the long hours and sleepless nights count up, remember that there is an end and life will return to normal once more. Handling a corporate breach is likely to be one of the most intense moments of your security career; you wouldn't be faulted for wondering if it's time for a career change because of it.
Remember however, that in the world of incident response, there are two types of people - those that have been through a major breach, and those that haven't. Your employer will, in all likelihood, continue to remain in business and you will continue to remain employed.
It is an accepted truth that all organisations will be breached at some point - what is important is how you handle it. Manage the stress, try not to say anything you can't take back and realize that you are going to come out of this with experience that you can't learn in any lab, or simulated exercise.
Conrad Constantine is research team engineer at AlienVault
Win a 500GB, shock proof, biometric fingerprint secured and encrypted portable hard drive in this SC and AlienVault survey. Visit the survey here