decrypting myths
analyst, 20% to find specialists that can
respond to attack and 13% can’t find
threat hunters.
Another issue is employee retention.
Specialists know they are in demand and
can easily switch to a rival organisation
if offered a higher salary. Because of
these factors, it’s increasingly hard for
companies to employ a team internally
that can conduct the entire IR process.
Choosing suitable outsourcers
Choosing a contractor is also not a trivial
task. To be effective, an outsourced
team should cover all the important
competencies of IR; namely threat
research, malware analysis and digital
forensics. It’s important that outsourcers
have vendor-neutral certificates to
prove a skill base. Also, ask about their
experience in the role. The more they
work for multiple customers in a variety
of industries, the more chance they
regularly come across typical incidents
and can find similarities in seemingly
different cases.
For companies in strictly regulated
industries, there may be additional
restrictions when selecting outsourced
responders. They will, therefore, only
be allowed to choose from incident
responders that meet specific
compliance requirements.
Cost of incident response
Establishing in-house IR is costly. The
organisation needs to pay a salary
to full-time employees with rare and
expensive skills. They also need to
purchase solutions and services (threat
intelligence) required for threat hunting,
data analysis and attack remediation.
However, the average cost of
experiencing a data breach globally is
increasing as well – with breaches now
amounting to US$1.23 million on average
for enterprises (up 24% from US$992,000
in 2017). With the cost of IT incidents on
the rise, businesses are realising that they
68
have to prioritise cybersecurity spending.
Some organisations find a flexible
outsourcing model more cost-effective, as
it allows them to pay only for the service
received. However, for enterprises that
deal with numerous incidents, having IR
in-house is a must. Nonetheless, they can
still find a more cost-effective model when
they employ first-level responders. This
internal team should be able to analyse
the incident first and either handle it
according to procedures or escalate to
external experts.
Synergy with IT department
When an incident happens, the IT team
may choose to shut down infected
machines to reduce the impact. However,
To be effective,
an outsourced
team should cover
all the important
competencies of
IR; namely threat
research, malware
analysis and
digital forensics.
Issue 16
|
www.intelligentciso.com