Man, I’m not trying to sales pitch or anything, but if you don’t have an actually functioning basic IRP, BCP, and IR retainer (or ready to go internal IR team), the best time was a month ago but the second best time is now.
It's also about how you use the retainer. During my time, I've seen too many managers deploy the retainer simply because their team had already left the parking lot for the day, sending DFIR analysts on-site for operational but not security-related incidents.
1/
Yes. Retainers are absolutely tricky from a business standpoint. Often, the company is either losing money by having people on the bench, or, over subscribing and burning people out. Balance is tough.