The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2022 is now live! This is the first evaluation of cybersecurity incident response service (CIRS) providers we’ve published since March of 2019.

Remember 2019? Ah, those halcyon pre-pandemic days … back when most of us were traveling freely, meeting in person, blissfully unfamiliar with the challenges of remote learning for elementary school students, before little wisps of gray hair appeared around my temples … and, of course, before ransomware grew rapidly into the scourge it is today.

The major increase in destructive ransomware attacks started just months later with the rise of ransomware as a service and, it would seem, culminated in 2021 with a 105% increase in attacks over 2020 and a barrage of high-profile supply chain attacks (for more on the state of ransomware, check out this report). Companies found themselves ill prepared to respond to these debilitating attacks and, to avoid further business and customer disruption, resorted to paying their attackers. And let’s not forget that many firms were also being hit with business email compromise and targeted attacks, too, resulting in massive financial and reputational losses.

Responding To Change

The general process for responding to and investigating an incident hasn’t changed dramatically since March of 2019, but what CIRS providers must offer to assist customers before and after a breach certainly has — as has the broader ecosystem of parties with whom they must collaborate. In addition to providing a baseline of top digital forensics and incident response tools and talent, CIRS providers should now offer capabilities to enable:

  • Preparedness. Just having an incident response plan and a set of playbooks is no longer enough. That plan and those playbooks must be put to the test regularly and refined to keep up with evolving threats. Your CIRS provider should map out incident-response retainer hours to review and revise plans, train first responders, conduct technical tabletop exercises, and simulate the real stress of a cybersecurity crisis with executives.
  • Litigation awareness. Not only should your CIRS provider be well versed in the cybersecurity and privacy regulations in the regions in which you operate, it must also ensure that the right agreements are in place between itself, your organization, and your outside counsel to protect all parties throughout the incident-response lifecycle should litigation arise from a breach.
  • Recovery. Many CIRS providers offer in-house capabilities or partnerships for environment recovery as well as options for ongoing relationships that include managed detection and response services to ensure that attackers don’t regain entry. Other firms may assist with executive buy-in for efforts to improve overall security posture, and still others may provide expertise in navigating the customer breach notification process and capabilities to handle incoming customer inquiries.
  • Continued insurability. Incident readiness, response, and insurability now go hand in hand. CIRS providers are now developing relationships with insurance carriers that go beyond standard panel participation to include initial readiness assessments as part of the underwriting process and the delivery of ongoing security posture monitoring data to both brokers and carriers to determine premiums and coverage levels during policy renewal.

What’s In Your Retainer?

Is your cybersecurity incident response service provider ready to meet the challenges of 2022 and beyond? Does it offer services to support you from preparation through restoration? Reach out to me to discuss your needs and the providers in our latest Forrester Wave™ evaluation — or those included in our broader Now Tech overview of the incident response services market.