Context is important, but how you get that context is equally important. You need the right information so that in those first minutes of an incident, you can make well-informed decisions without information overload. Large organizations (e.g., Microsoft, Google, Palo Alto, Cisco) share a wealth of information via regular bulletins, including indicators of compromise. That information, however, is only useful if your organization is positioned to create and generate logs that analysts can navigate.
In terms of business continuity, you also need data that helps you understand what parts of the organization are mission critical. As a cybersecurity professional, it can be easy to say, “Shut it down” when I see an attacker about to jump to another network. But if that part of the network is critical infrastructure powering hospitals, that becomes a very different conversation.
These decisions should not be made in isolation and must include all stakeholders to understand the business consequences of shutting something down, the impact that it’s going to have, and how it’s going to domino through the organization. The secondary, unintended consequences could be potentially more damaging to the organization than the underlying threat from a cybersecurity perspective in terms of dollar/loss impact.