Skip to Content

Security Careers: A Day in the Life of a CSIRT

Illustration of team working on security // Security Careers: A Day in the Life of a CSIRT
Cybersecurity involves many different types of risk and detection. [Adobe]

How do you start a career in incident response? Explore how one Salesforce CSIRT gets the job done

Like many cybersecurity professionals, my love for computers started when I was just a kid. I remember learning my first DOS commands to run games and navigate directories, curious about what else was in there — “there” being the operating system, but also the hardware itself — and wondering how it worked. My curiosity exploded with the arrival of our first dial-up connection and the possibility of looking for information online and teaching myself.

During high school, I was learning a couple of programming languages and networking. Until one day, a senior student approached me and gave me a CD of games that I unsuccessfully tried to run on my computer. A couple of days later while chatting with friends online, my computer started to act crazy. The CD player opening and closing, wallpaper changing, and suddenly a text box popped up with a message from him.

At the time, I did not correlate the occurrences because I was not even aware that malware could be installed to do that. I was impressed and wanted to understand how that worked, so I started focusing on the security aspect of computers.

After graduating, I worked as a network admin and then a system admin, before actually jumping into my first cybersecurity analyst job. Then I worked in a security operation center for many years before finally joining Salesforce as an Incident Responder for the CSIRT — our Cyber Security Incident Response Team.

As you might suspect, cybersecurity involves many different types of risk and detection. So, what exactly qualifies as an incident and how do we respond? 

Want to start skilling up on the latest in cybersecurity?

Check out the Cybersecurity Learning Hub, where you can earn resume-worthy credentials, explore guided learning paths, hear from more security professionals, and connect with the cybersecurity community at large.

Heads up, this is going to get a bit technical.

Starting at the top, Salesforce defines an information security incident as a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data transmitted, stored or otherwise processed by Salesforce and its third parties.

And basically, CSIRT is responsible for around-the-clock detection, escalation, and response to these information security incidents. Sounds simple enough, right? Well, there’s a lot that goes into it and we certainly couldn’t do it alone!

CSIRT collaborates closely with teams across the globe to achieve our vision of being the leading cloud provider security response center and providing a world-class response capability. It’s really about upholding trust as Salesforce’s #1 core value. To do this, we operate using a worldwide follow-the-sun service model. Regional teams across different time zones (e.g., Asia, Europe, the Americas) hand off work at the end of their workday, providing support 24x7x365.

Never underestimate the importance of being prepared.

As a provider of essential services to many of the world’s biggest and most critical businesses, governments, and organizations, Salesforce builds security into everything we do. That includes  building a culture of trust and security across the organization, educating users on what to look out for, and being prepared to respond rapidly in the event that any incidents pop up.

We take a defense-in-depth approach to security. Which is another way of saying we try to limit the possibility of any single point of failure by building in a layered approach of technology, process, and people. But in case something does happen, we have more than 1,400 security professionals and dozens of state-of-the-art security tools, processes and approaches to prevent, detect and respond to any security threat. 

Our team isn’t just about tools and technology, though. In fact, some of the most important skills a CSIRT team member can bring to the table have more to do with communication, problem solving, and organization than anything else! In my role as an Incident Responder, my day typically kicks off with a hand-off meeting, where regional teams review any relevant incidents and set up the next team for success. Making sure that everyone has all the information they need helps alleviate silos and enable better decision making as situations unfold.

Teamwork makes the dream work!

Now, let’s just say we learn about a brand new incident during our shift. The first step — whether it’s been reported by a human or detected by a system — is triage, which involves classifying and prioritizing the event. Then, if an event is classified as an incident, a category and severity is assigned. 

From there, an Incident Manager or Commander — responsible for creating and leading response strategy, managing operations, and delegating activities to a group of Incident Responders — develops a plan. They’ll then assign one or more Incident Responders to investigate, contain, and remediate.

As an Incident Responder, I am responsible for conducting the technical analysis and investigations in response to incidents. It’s my job to search for answers to numerous questions: What happened? When did it happen? Who is impacted? Who or what caused the incident? Where (physically or virtually) did it happen? And how did this happen? 

This last piece is the start of the post-incident activities, where a root-cause analysis is done to identify and uncover the source of the incident. During any given investigation, my day might involve host and network forensics, log analysis (terabytes or even petabytes of data), malware research, and working with many stakeholders collaboratively. And at the end of the shift, it’s another handoff meeting so that the next region can continue the process!

Is it high pressure? Occasionally. Challenging? In a good way! Technical? You bet. Continual training is essential to stay current in the cybersecurity workforce and this field offers many opportunities to stay up-to-date.

My personal path includes diverse certifications (CCNA, CCNA Security, ISACA CISM, EC-Council CEH, (ISC)2, CISSP, CSA CCSK), various courses and self-studying materials (videos, books), news feeds, podcasts and attending conferences. It’s a non-stop learning journey and I am still navigating it through a Masters degree in Cybersecurity and the SANS SEC504 course (+ GIAC GCIH certification, I hope!).

Start your cyber career

Want to start skilling up on the latest in cybersecurity? Check out the Cybersecurity Learning Hub, where you can earn resume-worthy credentials, explore guided learning paths, hear from more security professionals, and connect with the cybersecurity community at large. 

At Salesforce, we’re dedicated to building a workforce that reflects the diverse communities we serve and where everyone feels empowered to bring their full, authentic selves to work. Our values aren’t just words on a page — we learn to live them every day, measure our success, and continuously evolve. Together, we’re on a mission to improve the state of the world. 

Want to be part of this amazing team? Join us, we are looking for passionate people like you!

Learn the security best practices

Get the latest articles in your inbox.