Tips to Clear Up Confusion Around Incident Response Services, Claims and Offers

Benjamin Franklin said, “By failing to prepare, you are preparing to fail.” When it comes to incident response services, preparation can be challenging. Dozens of incident response (IR) providers – security product companies, consultancy firms, cloud providers and managed security services providers (MSSPs) – offer different flavors of IR, with different quality, pricing, tools and expertise. It’s not surprising that buyers are confused about what they’re getting. Free and unlimited offers further muddy the waters.

Recent research underscores the importance of expediting incident response actions and mitigating potential damage:

  • The average cost of a mega breach was $401 million for breaches between 50 million and 65 million records.
  • $4.62 million – the average total cost of a ransomware breach.
  • Lost business represented the largest share (38%) of breach costs, at an average total cost of $1.59 million.

Deciphering Incident Response Definitions, Claims and Offers

Let’s make it easier for you to evaluate the breadth and depth of IR services by exploring three important yet potentially obscure aspects of IR.

  1. Free and/or unlimited offers. These offers aren’t always clearly defined. Ask prospective providers to explain which specific services are delivered by whom and when. Confirm whether or not any restrictions apply. Most important, verify they are in the same service tier specified in your retainer. And, be sure your retainer clearly spells out which services are included, the provider’s responsibilities and your responsibilities.
  2. Scope of visibility. You can’t stop threats you can’t see. Visibility throughout your environment is critical to shorten detection and response times. The visibility of security product companies typically is limited to the products they support – firewalls, endpoints, networks and so on. A MSSP that monitors your entire environment sees everything, including cloud and SaaS, and can gather, correlate and act on real-time threat intelligence. In any conversation about visibility, find out how it is defined.
  3. Digital forensics. When forensics are required during an incident or breach, you want experienced, skilled people doing the work accurately. The legal, criminal and public relations stakes are high. Ask providers about their digital forensics experts and tenure, the type and scope of incidents on which they’ve worked and their procedures for maintaining chain of custody.

Other IR discussion topics include incident readiness, at-scale response, communications and unused retainer dollars. Additionally, find out where IR services land on the spectrum of basic response to comprehensive, holistic response and how they align with your requirements. All of these topics are covered in “8 Questions That Cut Through the Lingo of Cybersecurity Incident Response,” which provides a list of questions helpful for navigating the confusion surrounding IR.

About Incident Response Standards

Learn more about IR nuances by exploring resources such as NIST, ISO, HIPAA and the Cybersecurity Maturity Model Certification. It’s safe to assume that governments and industries will tighten up IR and create more stringent reporting requirements. Incident providers incorporate industry standards into their offerings in different ways. Some are better positioned than others to adapt to new policies and procedures.

If you want to talk about IR best practices, contact us. We’ll focus on your requirements, risk tolerance, security maturity and other aspects of customized incident response services.


[1] Ponemon, Cost of a Data Breach Report, 2021.
[1] Ibid.
[1] Ibid.

Have you registered for our next event?