Who owns Communication in Network vs. Security Incidents? Best Practices & RACI Guidance Needed In many organizations, Network and Security teams both play a role in incident response, especially when firewall or SASE issues impact network performance. When an issue is first diagnosed by the Network team but determined to be security-related, who should own the ongoing communication, resolution updates, and root cause reporting? I’d love to hear from the community:  • Are there best practices, ITIL/ITSM frameworks, or RACI models that clarify ownership?  • How does your organization handle communication handoffs between Network and Security teams?

We have a Major Incident Management team that coordinates these responses when the incident involves outages or significant impacts to our top-tier applications. For lower-level incidents, Security tends to file the incident, and Network resolves it, but that's a convention, not a policy.

I've run into this before, especially when firewall or SASE issues blur the lines between Network and Security teams.

In my experience, clearly defining responsibilities upfront using a RACI makes a huge difference. Once the issue is confirmed as security-related, the Security team becomes accountable and should own all ongoing communication, resolution updates, and RCA reporting. You'll find that ITIL/ITSM frameworks will reinforce this by emphasizing communication handoffs and having structured responsibilities. What I've found most helpful is assigning a single point of contact to bring consistency and clarity in updates. You can up it a notch by having regular exercises and training between Network and Security teams to track the handoffs.