Last week, we released the Forrester Now Tech: Cybersecurity Incident Response Services, Q4 2021. This research provides a comprehensive overview of the service provider landscape. In the report, we define and describe the vendor segments and then classify each of the 36 vendors into the appropriate segment based on functionality. We also provide information on key industries the vendors support and any reference customers they can share publicly.

I spoke with many security leaders, attorneys, cyber insurance carriers, and incident response (IR) providers in research interviews related to incident response and its ecosystem of external partners, and what struck me most was the lack of preselected and onboarded partners in place before an attack. Yes, it’s possible to select an IR provider, outside counsel, ransomware negotiation and payment provider, and even a communications firm from your cyber insurance carrier’s panels when you need them — but it’s not wise.

The multifaceted devastation wrought by ransomware and business email compromise attacks can be mitigated with a strong incident response program in place, with well-assessed and stress-tested IR plans and carefully orchestrated and rehearsed breach scenarios.1 To do this, you need to spend time with your partners and provide them with a detailed understanding of your environment, your data, and your executives. For cybersecurity incident response services (CIRS), consider the following as you evaluate providers:

  • Pick a CIRS provider and establish a retainer and key contacts before a breach. If you have a trusted IR services firm, work with your carrier to write them into your policy if they’re not already on the carrier’s panel. Otherwise, you may have to switch providers mid-attack, losing precious time and insights in the handoff.
  • Honestly and objectively assess your current state of readiness for an attack. Select a CIRS provider that will partner with you to take your IR program to the next level of maturity — whether that’s starting from square one with a program assessment or challenging a seasoned crisis management team with a sophisticated breach scenario in a state-of-the-art cyber range. As your IR program matures, a different provider may be a better fit, so be sure to assess their capabilities against program maturity annually.
  • Hold ransomware-specific tabletop exercises quarterly. You should be doing this at the technical and executive level several times a year (in addition to other common breach scenarios) to iron out process wrinkles and gauge your preparedness as it relates to the decision to pay or not pay a ransom. Select a CIRS provider with the capabilities and capacity to facilitate these drills, perhaps alongside outside counsel.

I’m currently evaluating several of the 36 providers included in this Now Tech and will publish the results in a Forrester Wave™ evaluation in the first quarter of next year. Stay tuned, stay safe, and support each other as we prepare for another volatile year in cybersecurity.

 

1. Obviously, there’s much more you need in place. See The Ransomware Survival Guide and Best Practices: Phishing Prevention for more on ransomware and business email compromise, respectively.