No matter the size of your organisation, having an incident response plan in place is pivotal. Below, we offer advice on how to choose an incident response supplier.
An incident response supplier is a third-party organisation that manages some – or all – of an organisation’s incident response capabilities. Whether a multi-national organisation or a start-up, all companies need to have an incident response plan and resources proportionate to the security risks they face. Having specialist resources in house can be a challenge, thus outsourced incident responses specialists exist to help fill the skills and resources gap.
Companies can choose to outsource the entirety of the incident response function or choose to seek assistance with specific areas like forensic analysis, root cause identification, malware eradication and even external communications. Companies can find it challenging to identify and procure trusted third parties for incident response in a crowded market. Given the gravity of this function, organisations must choose reputable, expert providers.
Why is cyber incident response important?
The primary purpose of cyber security incident response is to ensure an organisation contains, eradicates and recovers from a security incident quickly and with as little impact as possible. A thorough, well-orchestrated incident response plan helps companies restore their systems, networks, and connectivity as promptly as possible. It also assists organisations in improving their resilience by ensuring the vulnerabilities exploited in attacks are mitigated to reduce the chance of further exploits.
Companies need to have some incident response capability – be it an internal, outsourced or a hybrid of both. An effective incident response function consists of suitably qualified and experienced people and well-defined, documented processes, as highlighted in our guide to incident response.
We advise reviewing your incident response capabilities to determine your level of maturity. By understanding your current state of readiness, and where any gaps are, you can confidently decide what parts of incident response need outsourcing or external advice. To help with this, CREST has created a dedicated tool for measuring the maturity of internal incident response capabilities.
Why should I outsource incident response?
Over the last year, the National Cyber Security Centre (“NCSC”) reported a record rise in attempted cyber intrusions, whereby malicious actors attempted to break into public and private infrastructure to steal sensitive data or cause disruption. Despite the increasing prominence of such instances, many organisations are not adequately prepared to deal with cyber security incidents.
By definition, incident response is a formal, planned approach to addressing and managing the mitigation of violations of security policies and recommended practices. An incident response plan aims to reduce the damage caused by an incident and restore operations to business as usual as soon as possible.
The most successful ‘response’ is built on planning, preparation, agreeing on an operational approach to follow, rehearsing and improving that process over time. However, many organisations do not have the budget, resources and internal expertise to build a robust incident response plan.
Even for large, multi-national organisations – with a dedicated security operations centre (“SOC”) – managing a sophisticated cyber-attack can be challenging. This is why many companies choose to outsource at least some of their security incident response capability.
Utilising third-party experts for incident response can help organisations handle security incidents better, enabling access to dedicated specialists who understand how to perform incident response effectively and swiftly.
Technical incident response expertise is sought from external specialists typically forensic investigation, intrusion analysis, malware investigation, root cause determination and mitigation support covering containment and eradication activities. Non-technical incident response services can include internal crisis communications, external public relations services and legal/regulatory support around breach notification.
Below, we’ll define a process that will assist you with choosing a reputable incident response supplier or suppliers.
How to start with outsourcing incident response
There is no one way to outsource incident response. Organisations can choose, for example, to employ a third-party expert to join their team or purchase a managed security monitoring and response service. Other options include working with a third party to help build and establish an internal incident response function or agreeing to a contract with a supplier for particular incident response capabilities.
The option you choose will depend on your internal incident response capabilities. Organisations with robust security practices, for example, may find they can handle some of the incident response processes in house to save costs. Once you have reviewed your internal capabilities, you can determine what external services you require.
To do this, we advise creating a document that highlights the capabilities to be retained in-house and which need to be outsourced. Creating this document aims to ensure potential suppliers can meet your exact needs – be it identification of security incidents, containment, eradication or an end-to-end incident response service.
While you draw up this document, we also advise you to consider some crucial factors, namely:
– The costs you are willing to pay for outsourcing these services
– The location of the service provider – and whether they provide remote and onsite support
– The specific roles and responsibilities you would like to outsource
– Your expectations of how the supplier will collaborate and coordinate with internal incident responders if any
– Your expectations or response times in the event of an incident
Some of these requirements will likely change as you evaluate potential suppliers, but it is good to begin with a foundation idea of what you are looking for to guide the process.
What to look for in a technical incident response supplier
There are many technical incident response suppliers out there. However, not all services are created equal. Given the criticality and sensitivity of incident response activities, you need to be confident you have chosen a reputable, trustworthy and effective supplier.
While some outsourced incident response services with a low price tag may be tempting, this does not mean they necessarily provide value for money. Indeed, many low-cost services will not give you access to certified, professional staff with the experience necessary to respond to sophisticated security incidents.
As CREST notes in its guide to incident response procurement, you should look for the following qualities in an incident response supplier:
- Solid reputation, history and ethics
- High quality, value-for-money services
- Research and development capability
- Highly competent, technical investigators
- Security and risk management
- Strong professional accreditation and complaint process
Narrowing down your incident response supplier shortlist
With these criteria in mind, you can begin evaluating suppliers to create a shortlist of potential providers. Look for providers who can tailor their service offerings to your organisation’s unique needs, rather than companies that provide blanket surfaces with little customisation.
As you evaluate suppliers, you will find many providers offering other cyber security services that could be useful for your organisation. For example, at evalian®, our incident response table-top exercises complement our outsourced CISO services, enabling you to effectively improve your internal incident response capabilities while giving you access to a trusted security expert who can spearhead incident response.
Shortlisting suppliers is somewhat like an interview process. A good candidate organisation should give you a presentation of their services, be able to present you with examples of successful incident response investigations they have led and have a documented methodology they can share with you.
Appoint your supplier
At the end of this process, you should have identified a supplier – or multiple suppliers – whom you would like to employ for incident response. At this stage, you can formally appoint this supplier. This should involve the creation of a detailed contract, featuring a scope of work, agreed terms regarding precisely what the supplier will assist your organisation with, along with defined costs and timelines – which may change in line with the level of support needed to respond to an incident.
If you need guidance on your incident response approach, we can help. We can assist with incident response assessment, planning and facilitate cyber incident response exercises. Through these services, we can help you identify what outsourced services you need and work with you to identify suitable suppliers for technical and non-technical incident response services.