COMPANION · BY TEAM SIZE
By team
size.
Three playbooks for adopting IR 2.0 — small, medium, large. Same framework, different cadence.
Team size determines the order, not the destination. The path to Run looks very different in week one depending on whether you have one IT person or fifty.
PLAYBOOK · 01
Small.
3 — 10 people. One security person, sometimes none.
StartThis week
- Write the One-Pager IR plan. Print it. Tape it above the on-call laptop.
- Document the 3 AM call tree with current contacts. Test it.
- Deploy the Big-3 controls — MFA on admin/remote, EDR everywhere, immutable backups.
- Run the cyber-insurance readiness self-assessment. Capture your baseline and gap list.
- Stay at Reversibility Score 1–2. Don't automate what you can't safely roll back.
- Pick one Top-10 Playbook. Run it once on a Friday.
PILLAR OWNERSFounder · CTO · MSP partner
PLAYBOOK · 02
Medium.
10 — 50 people. Dedicated SecOps, no formal IR program yet.
Crawl30 days
- Complete Crawl in 30 days — finish all six Small steps as a tracked milestone.
- Assign a named owner per pillar. Decision rights go on the org chart.
- Target 2–3 Packs per quarter. Schedule the next four.
- Run the first tabletop in week 6. Blameless post-mortem in week 7.
- Begin RS-3 experiments — semi-automated containment with human approval.
- Stand up the KPI dashboard. MTTD, MTTR, drill pass rate, evidence freshness.
PILLAR OWNERSCISO · SecOps lead · IT lead · People ops
PLAYBOOK · 03
Large.
50+ people. Existing IR program, multi-region, audited.
Walk60 days
- Form a named IR 2.0 program team. Charter, RACI, weekly steering.
- Run divisional pilots. Two business units in parallel beats one big-bang rollout.
- Deploy the Common Controls Backbone (CCB) immediately — collapse audit duplication.
- Map the full automation roadmap RS-2 → RS-5. Gate each step on rollback proof.
- Integrate with insurance & legal early. Track premium movement as a Run-tier external signal.
- Publish quarterly Field Reports back to the framework. Govern the Pack catalog you ship internally.
PILLAR OWNERSCISO · Resilience lead · Automation eng · L&D
CHECKLIST · WEEK 1
Starter Kit.
Seven actions a 3-person team can finish this week — no new tooling required. Each maps to a Pack you can go deeper on later.
- Download & customize the One-Pager IR template. Names, numbers, vendor escalation paths.STARTER PACK
- Document your 3 AM call tree with current contacts. Send a test page.STARTER PACK
- Verify Big-3 controls: MFA (admin/remote), EDR (everywhere), backups (immutable, tested restore).STARTER PACK
- Write your first Calm-Loop script — start with endpoint quarantine + identity revoke.PLAYBOOKS (v0.2)
- Create the evidence folder in your ticketing system. One folder per incident class.STARTER PACK
- Run the cyber-insurance readiness assessment. Capture the baseline score and the gap list.STARTER PACK
- Schedule a recurring 30-minute review. Same time every month. Standing agenda.STARTER PACK
| Team size | Crawl complete | Walk complete | Run target | Owner pattern |
|---|---|---|---|---|
| Small · 3–10 | 30 days | 90 days | Sustained state | Founder + MSP. Lean on managed EDR + MDR. |
| Medium · 10–50 | 14 days | 90 days | Sustained state | Named pillar owners. SecOps + IT + People split. |
| Large · 50+ | CCB-first, 14 days | 60 days | Sustained state | Program team, divisional pilots, weekly steering. |