Intelligent CISO Issue 16 - Page 68

decrypting myths analyst, 20% to find specialists that can respond to attack and 13% can’t find threat hunters. Another issue is employee retention. Specialists know they are in demand and can easily switch to a rival organisation if offered a higher salary. Because of these factors, it’s increasingly hard for companies to employ a team internally that can conduct the entire IR process. Choosing suitable outsourcers Choosing a contractor is also not a trivial task. To be effective, an outsourced team should cover all the important competencies of IR; namely threat research, malware analysis and digital forensics. It’s important that outsourcers have vendor-neutral certificates to prove a skill base. Also, ask about their experience in the role. The more they work for multiple customers in a variety of industries, the more chance they regularly come across typical incidents and can find similarities in seemingly different cases. For companies in strictly regulated industries, there may be additional restrictions when selecting outsourced responders. They will, therefore, only be allowed to choose from incident responders that meet specific compliance requirements. Cost of incident response Establishing in-house IR is costly. The organisation needs to pay a salary to full-time employees with rare and expensive skills. They also need to purchase solutions and services (threat intelligence) required for threat hunting, data analysis and attack remediation. However, the average cost of experiencing a data breach globally is increasing as well – with breaches now amounting to US$1.23 million on average for enterprises (up 24% from US$992,000 in 2017). With the cost of IT incidents on the rise, businesses are realising that they 68 have to prioritise cybersecurity spending. Some organisations find a flexible outsourcing model more cost-effective, as it allows them to pay only for the service received. However, for enterprises that deal with numerous incidents, having IR in-house is a must. Nonetheless, they can still find a more cost-effective model when they employ first-level responders. This internal team should be able to analyse the incident first and either handle it according to procedures or escalate to external experts. Synergy with IT department When an incident happens, the IT team may choose to shut down infected machines to reduce the impact. However, To be effective, an outsourced team should cover all the important competencies of IR; namely threat research, malware analysis and digital forensics. Issue 16 | www.intelligentciso.com