Is there ever a case for Outsourcing Incident Response?

The IR Imperative
The sheer scale, volume and frequency of cyber incidents has shifted significantly in recent years. Malware is on the rise, threats are more sophisticated and perpetrators are organised, adaptable and well resourced. The received wisdom is that there is no 'silver bullet' solution that can prevent even the most well resourced organisation from falling victim to a data breach. As such, more focus is being placed on establishing an effective incident response programme and ensuring that the team, tools, technology and processes are in place so that organisations can 'take the hit' and get back up and running with minimum impact.

The increasing complexity and regularity of cyber incidents means that Incident Response (IR) planning is evolving from simply an additional responsibility for the IT security team; it is a strategic function of the business, with a well-rounded IR plan requiring board-level buy in, as well as input and expertise from executives across a range of business units, from senior management to HR, communications and legal teams.

Given the need for a multi-faceted, cross-departmental approach to IR is there ever a case to be made for outsourcing the IR function to a third party? Here we examine the pros and cons of each approach and the critical factors in determining if a cyber attack can be dealt with by external teams.

The outsourced advantages
Cost is clearly a key consideration in electing to bring in external resources. One of the key advantages in outsourcing the IR function is that an organisation has access to specific skillsets that it would not be viable, economically, to employ in house. If an organisation doesn't have the manpower or resources to handle an incident internally it makes sense to draw on the skills of external specialists - a forensics investigator for example - or managed service providers with the resources and skill sets required to manage the response and remediation.

The most logical candidates are typically providers with whom the organisation has an existing relationship such as the cloud provider or web hosting organisations, which also provide a vast array of managed security services. As they are tasked with managing and monitoring your infrastructure, they will bring security IR expertise and in depth knowledge of the infrastructure.

Bringing in external organisations also means that organisations can leverage the best practices that specialists have built up from managing multiple incidents. Specialist external teams offer a breadth and depth of expertise which they will have gained from dealing incidents of varying sizes and types which can be leveraged to help manage an incident more effectively. Where an internal team may have dealt with a one-off incident, external teams bring best practice gained from dealing with specific types of attack - DDOS, phishing, SQL injection, system intrusions - which would all require specialist expertise.

For organisations setting out on establishing an IR strategy, it can make sense to bring in the skills of a consultant in an advisory capacity. Ultimately, however, decisions will come down to cost, skills and resources: outsourcing will make sense if an organisation does not have enough people to manage the challenge internally, if they don't have the right internal expertise or if they need external support to manage a specific aspect of the incident such as compliance or forensics skills.

The merits of In house expertise
IR plans are built to a common framework however they must also exist within the context of the business: decisions therefore need to be made on the proportionate and appropriate response to each individual incident. This means that outsourcing the entire IR function can be a risky strategy. Incidents come in all shapes and sizes and, even a moderate size organisation will need to handle incidents which, however apparently minor they may seem - a lost laptop or missing paper records, for example - cannot be readily outsourced yet could have a devastating impact. It therefore pays to be prepared to handle these internally.

There's no substitute for the insight which internal teams can bring to bear on a situation; in house teams are equipped with a wealth of knowledge on the specifics of a business which it could take external teams weeks or months to acquire. This will be critical in the interpretation and appropriate response of an incident.

There's a wider issue at play here also; one which impacts the way in which security teams and leaders are perceived across the organisation as IR takes on a more strategic role within businesses. Whilst multiple teams may be involved in IR, typically it will be the security team that still has the pivotal role in overseeing responsibility and implementing the IR plan. Managing this in-house creates opportunities for Security Managers to build their role within the organisation: why would you outsource a function which plays such a critical part in upholding the integrity, reputation and security of the organisation's assets? In the aftermath of an incident, teams should also apply the lessons learnt adopting processes for continuous improvement. Outsourcing IR denies internal teams that ability to learn from processes with the aim of making improvements where necessary, so that they can examine what could have been improved and how to get back to business faster.

For organisations setting out on the road to building an IR strategy, the prospect of documenting an IR plan in the context of the complex regulatory and legal frameworks, can seem like a daunting task. However, many resources are available to help with the process. New approaches are now emerging which fully automate IR management, standardising IR procedures, providing an end-to-end work flow and generating detailed incident response plans while ensuring that reporting and remediation is efficient and compliant. This means that effective IR is an achievable and realistic goal for any organisation, irrespective of size or sector.