Zen and the Art of Incident Response Retainers
As I start to write this, I think back to a mixed-martial-arts fight I was watching a few months ago. The two fighters were both dancing around, and nothing was really happening, and then at some point, one guy in the crowd yells, “BORING!” – and the everyone burst into laughter.
So, yea, I know I’m writing about Incident Response (IR) Retainers. But stick with me. I promise it won’t be boring. And it shouldn’t be funny.
If you only do ONE thing to improve your security program this year, it should be an IR Retainer. And they’re not all the same…
1. When the stuff hits the fan, it usually hits in lots of places at the same time. The reason you want a retainer is to make sure you have a “ticket to the front of the line” when nasty cyber security things happen. The number of zero-day vulnerabilities (a flaw in hardware/software that bad-guys can use to attack your organization, because the developer didn’t know the flaw existed, so hasn’t had a chance to develop a patch yet) skyrocketed in 2021, more than doubling the previous record set in 2019. Many of those zero-days (like Log4j) were difficult to discover, especially difficult to patch, and they affected/exposed thousands of organizations at the same time. Make sure you have a fast-pass to a robust IR team.
2. Free isn’t good. As my dad used to tell me, “Puppies are free, too.” The problem with “free” retainers is that the language in the retainer is usually only “best effort”. So, when you’re having the worst day of your cyber security life, you call your “partner” to come to the rescue, and they tell you they’re busy right now – that’s not really having a retainer. A real IR retainer has very specific response times documented. Don’t get fooled into something less, or it can really cost you.
3. Make sure the IR team attached to the retainer has lots of current experience, and that they know a lot about the bad-guys. There are “security” companies coming out of the woodwork right now. Make sure your IR Retainer is with someone who has done HUNDREDS of actual incident response engagements. Also important: They’ve done IR’s recently, and the team has deep cyber threat intelligence roots. That way you know you’re getting responders with the most up-to-date exposure to the ugliest attacks and understand the world’s cyber-thugs (and their associated tactics, tools, and procedures). With that kind of experience on your side, you’ll recover faster (up to 5x reduction in time, and 10x reduction in cost) and get back to taking care of patients and families sooner.
Recommended by LinkedIn
4. Cyber liability insurance is NOT an Incident Response Retainer. Your cyber liability insurance company doesn’t provide an IR Retainer. But they do have a list (“panel”) of IR companies they’d prefer you use should you need one. That is NOT the same as having an actual retainer. Make sure that WHEN you get an IR Retainer, the company you choose is on your insurance company’s panel. That way, when you need to file a claim for using the retainer, you’re covered.
5. You’ll have to pay for a real IR Retainer. But it’s totally worth it. IR Retainers guarantee response time, and SPEED is the currency of modern cybersecurity. Should you NOT have an incident, your retainer should give you the option to use those dollars to improve your program in other ways, meaning there’s zero-waste. You’ll be able put your payment against things like professionally managed tabletop exercises, penetration testing, or a compromise assessment. All of which give you and your team insights on the latest real-world breach scenarios, making you better at one of the world’s toughest jobs.
Bottom Line: Get in front of this challenge. Be prepared. Having an IR Retainer puts you in the best possible position to recover quickly should you have an incident/breach. They also give you incredible insight on how to improve your existing security posture by leveraging intelligence-led security services attached to the retainer.
----------
Drex DeFord has broad experience as a thirty-plus year senior healthcare executive, including a "first" career as US Air Force officer (hospital administrator/CIO), culminating as Chief Technology Officer for Air Force Health’s World-Wide Operations. He also served as CIO at Scripps Health, Seattle Children’s, and Steward Healthcare. He’s Past-Chair of CHIME’s Board of Trustees, and has served on the HIMSS National Board. Over the past several years -- as an independent consultant (and “Recovering-CIO”) -- he helped lead trusted health systems, payers, associations, vendors, and investors through their work on healthcare's toughest problems. In 2021, Drex joined CrowdStrike as Executive Healthcare Strategist. He’s passionate about the mission to stop breaches, and better secure clinical, research, and healthcare business operations.
Chief Information & Innovation Officer
2yIR is great and needed for sure, but I think having an immutable and indelible backup that has no back door is the most important tool to recover from a ransomware attack. Ask any of the health systems that have been attacked and they will all say they wished they had a secure backup to recover operations in minutes not months.
President, 229 Cyber/Risk @ThisWeekHealth | Former CrowdStrike Healthcare Exec; Recovering-CIO via Seattle Children's; Scripps; Steward; USAF Health | Founder, Drexio | Past-HIMSS, CHIME, & AEHIS Board | HSCC/CWG
2yMarty & Matt — today’s HC2HC Panel!
We Stop Breaches.
2yCYA. Get a proper IR Retainer...NOW.
Sr. Director - Healthcare at CrowdStrike; US - East
2yThere are few better ways to help a customer. Knowing who to call - and what to do, alignment to e-staff, legal, risk, audit & third party council. This can't be stressed enough in this environment.
Head of Sales @ Arch | Sales Leadership, B2B SaaS Sales, Cybersecurity, Venture Capital
2yThanks for posting!