Using the ‘Rapid, Effective, Expert’ model when evaluating incident response retainers

07 January 2019

Cyber security incidents are on the rise; in the last 12 months a reported 72% of large businesses (and 63% of medium businesses) in the UK experienced cyber security breaches or attacks. Unfortunately, the cyber security skills gap is similarly a real threat, presenting a major challenge for organisations looking for the right expertise to defend themselves.

As such, many organisations are turning to incident response retainer services to ensure that they have access to digital forensics and incident response expertise and experience when it is required. As the market expands, it’s important to remember three core qualities to look for when choosing your provider:

  • Rapid: Your incident response retainer provider must be on hand 24/7 and be able to rapidly respond in the event of an incident, providing both remote and on-site support. This response time should be formally agreed as an service level agreement (SLA). Remote support should be accessible within a matter of hours (with the technology to support this), and on-site support shortly after. Consider the location of your provider’s staff relative to yours, and any administrative tasks that can be performed in advance to allow your retainer provider access to sites during both working and non-working hours.
  • Effective: A rapid response is irrelevant if it is ineffective; your incident response retainer provider must be able to hit the ground running. This means working alongside your internal teams and leveraging the right set of tools to identify the nature of the breach and its associated risks, contain and eradicate the threat, and recover to business as usual. Doing so effectively requires an up-to-date understanding of your organisation, business priorities, IT environment, and service providers.
  • Expert: Your incident response retainer provider must be able to provide the expertise and experience needed in a crisis, able to work equally with your executive board as with your first responders and technical teams. Consider organisational accreditations, such as membership of the National Cyber Security Centre’s CIR scheme, or CREST’s CSIR scheme, as well as analyst reporting (for example, Forrester’s Digital Forensics and Incident Response service providers report1) and peer recommendations. Also consider conflicts of interest: you may want an incident response retainer provider to be independent from other managed IT service or SOC providers when serious issues need to be dealt with.

Ensuring you evaluate incident response retainers with these three qualities in mind will prove integral to minimising the impact of a cyber incident when you need to call in support.

The ‘rapid, effective, expert’ model is also a key indicator that your incident response provider is able to support your organisation throughout the entire incident lifecycle (incident readiness, response and recovery), providing technical expertise coupled with business insight. While many incident response service providers focus on technology, consider the other services that you may need to call on in the event of an incident: cyber security and data protection legal advice, crisis management and communications, regulatory relations, data analytics, threat intelligence, threat detection, and more.

1 The Forrester Wave™: Digital Forensics And Incident Response Service Providers, Q3 2017

Gabriel Currie

Gabriel Currie | Incident Response - Manager
Profile | Email | +44 (0) 7802 658 893



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.