Man, I’m not trying to sales pitch or anything, but if you don’t have an actually functioning basic IRP, BCP, and IR retainer (or ready to go internal IR team), the best time was a month ago but the second best time is now.
22
79
10
482
IR retainers may not be sufficient if your external IR firm is already oversubscribed.
4
5
22
It's also about how you use the retainer. During my time, I've seen too many managers deploy the retainer simply because their team had already left the parking lot for the day, sending DFIR analysts on-site for operational but not security-related incidents. 1/
2
Be careful how your retainer agreement is crafted. The SOW should be clear about exactly what kind of work can be performed under the retainer.

Mar 23, 2022 · 7:33 PM UTC

1
2
Oh, agreed. But if you're on the consulting side and follow a utilization model, there may not be much of an option. When I worked for IBM, we had a customer who would declare an incident for...anything and everything.