Enterprise IT Security – Should You Pay For an Incident Response Retainer?

By Michael Schulman

Client Services Manager, NPI

June 17, 2020

Interested in learning more about NPI’s services?

Contact Us

Times of crisis make attractive targets for bad actors, and it’s certainly true for enterprise IT security. The CSO Pandemic Impact Survey indicates 61 percent of security and IT leader respondents are concerned about an uptick in cyberattacks targeting employees who are working from home. As of mid-May, researchers at Check Point Software Technologies reported 192,000 coronavirus-related cyberattacks per week, a 30 percent increase compared to the previous three weeks.

Which brings us to a key tenet of enterprise IT security sourcing – don’t wait until your organization has suffered a security breach to begin vetting vendors. Most companies’ security needs have evolved considerably over the last three months. Now may be a good time to reinspect your cybersecurity vendor agreements to make sure solutions and business terms are aligned with your current security requirements and priorities.

Does an Incident Response Retainer make sense for your enterprise IT security requirements?

One way to ensure you receive the protection and prioritization you need if a security incident occurs is entering into an Incident Response Retainer (IRR) with your enterprise IT security vendor(s). Full disclosure – IRRs can be expensive, and they may not be feasible for every IT budget. But if you plan ahead, the costs are much lower than what vendors will charge if you pick up the phone and yell “FIRE.”

Most vendors offer significant IRR discounts to customers that already use  their solutions. They use these retainers to staff up for the eventuality that they are called into action, as well as to better understand customers’ unique security requirements. That’s important – especially now – when more customers are reporting more incidents and requiring more service. An IRR gives you priority over other customers that don’t have an IRR in place.

The costs of an IRR vary by vendor – and there are more options than ever before, ranging from traditional information security boutiques to enterprise security juggernauts. There are businesses that specialize in security incident and response first, and there are those that are simply in the business of cyber consulting where incident response and breach mitigation are among many offerings.

Vendor selection takes many things into consideration – innovation, cost and size are three. Another is collaboration, and this one can be tough for some companies to get their head around. Do you want a provider who is intimately involved in your network and strategically involved in the day-in/day-out intricacies of your business? Do you want a provider who can not only mitigate the damage and conduct the forensics on your situation, but also spin any damage after the fact to ensure your business passes public scrutiny? Or do you want a provider who simply shows up and responds to incidents as needed?

The answer to these questions depends on a number of factors. A medical trials company handling sensitive patient and research data may have different needs than a consumer retailer who has already been through a major security breach and has protocols in place.

Whatever situation your company finds itself in, remember cost is just one element of consideration. Yes, there is a difference between vendors that charge $800 to $1000 per hour and those that charge $300 to $500 per hour. But there has to be a synergy between you and your vendor that transcends the agreement and results in your business being secure from both an enterprise IT security and public opinion perspective.