Man, I’m not trying to sales pitch or anything, but if you don’t have an actually functioning basic IRP, BCP, and IR retainer (or ready to go internal IR team), the best time was a month ago but the second best time is now.
22
79
10
482
Replying to @hacks4pancakes
IR retainers may not be sufficient if your external IR firm is already oversubscribed.

Mar 21, 2022 · 9:19 PM UTC

4
5
22
Replying to @hal_pomeranz @MichaelFazely @hacks4pancakes
It's also about how you use the retainer. During my time, I've seen too many managers deploy the retainer simply because their team had already left the parking lot for the day, sending DFIR analysts on-site for operational but not security-related incidents. 1/
2
Be careful how your retainer agreement is crafted. The SOW should be clear about exactly what kind of work can be performed under the retainer.
1
2
more replies
Replying to @hal_pomeranz @strandjs @hacks4pancakes
Yes. Retainers are absolutely tricky from a business standpoint. Often, the company is either losing money by having people on the bench, or, over subscribing and burning people out. Balance is tough.
Replying to @hal_pomeranz @hacks4pancakes
Hopefully the firms are partnering with other service providers to prepare for situations like that. There's enough to go around.