4 Ways to Maximize Your IR Vendor Relationship

Hiring an incident response (IR) vendor often “checks the box” for companies that need to comply with a regulation or want to improve their security posture. But when minutes count and a cyber incident is in process, that checked box doesn’t automatically translate to an effective response. This blog outlines 4 ways to get the most from your IR vendor relationship.


Security posture is a measure of your organization’s cybersecurity strength and how well it can help you identify, respond to, and recover from security threats. A proactive cyber defense is vital, but in some cases, a company’s approach to addressing its security posture can be troublesome.

The most dangerous is denial, displayed through either a general lack of concern or a false sense of confidence in cybersecurity strength. Another is box-checking. When the goal is to simply comply with the latest recommendations or regulations, an organization may “check all the boxes” and look secure on paper, but may have gaps in protection from tools that are not configured properly or from a statement of work (SOW) that is not fully implemented.

These disconnects between security perception and reality often play out in the hiring of an incident response (IR) vendor. IR lends itself to an outsourced solution due to the expertise needed and the risk associated with operating in the midst of a cybersecurity attack. An IR vendor can help you develop, implement, and test an IR plan, and in the event of a cyber crisis, lead a comprehensive cyber response. But it takes more than just adding a vendor to make IR work effectively.

So how do you make the transition from just checking the “Hire an IR Vendor” box to creating a strategic IR plan? Here are four ways to maximize your IR vendor relationship:

1. Choose the right vendor (for you) from the start

In the world of IR, experience is king. Finding a vendor with a long-term and solid track record of successful incident resolution is a good first filter when evaluating vendors. Understanding who will be on the IR team, what their qualifications are, and what industries they have worked in will help assess the fit with your organization. These are the people you will train with and go to (cyber) battle alongside, so ensuring they are qualified to meet your specific needs is a big deal.

IR philosophy is also an area where compatibility needs to be established. Is the vendor’s focus primarily proactive or reactive? How much interaction and planning does the vendor generally provide pre-breach? Does the vendor speak in the language of customer relationships and life cycles? Ideally, your IR vendor will have a partnership mindset with a desire to strengthen your overall security posture to both prevent – and prepare for – potential breaches.

2. Identify, share, and prepare

The goal of engaging an IR vendor is to proactively share an understanding of your entire digital environment, including the location of sensitive data and critical assets. Part of this process involves ensuring your own internal IT team understands your digital landscape, as it does not take long for an IT system to become a complex mix of operating systems, security programs, and endpoints. A qualified IR vendor will help your organization map the entire system and implement best practices for security tools and data storage based on their experience of the types of gaps that often lead to security failures. If a breach becomes your reality at some point, an IR vendor who knows and understands your system and your data intimately is exactly who you want to have on your team when things go sideways.

3. Build an IR plan together

Planning for a breach before it even happens is the heart of the IR vendor’s value add. After the information gathering and sharing in the previous step, the IR vendor should deliver both recommendations on preventative measures as well as a thorough response plan with prioritized steps in the event of a breach. An IR vendor’s identification of gaps and blind spots in your current system can pay big dividends. These preventative recommendations are a great opportunity to take objective feedback from a knowledgeable source to make your systems and data more secure. And prevention, in the form of proactively resolving those vulnerabilities, is far easier than recovering from an attack if/when a bad actor finds and exploits them.

The IR plan is the playbook everyone will be reading if an attack should occur. First and foremost, the plan should establish expedited processes for investigating and triaging potential threats. Once an attack is confirmed, the plan should clearly define critical roles – who does what when in response to common types of security incidents. The IR vendor should ensure the plan aligns with your cybersecurity insurance policy requirements, as coverage may require specific steps to be taken in the event of an attack. A capable IR vendor will bring a wealth of experience and knowledge to this planning process to ensure both preventative and recovery measures are built to protect your organization.

4. Test the IR plan together

Often the most neglected part of an IR plan is testing. A plan can look great on a piece of paper, but when it’s implemented in response to a live breach, weaknesses and incorrect assumptions quickly become apparent. An experienced IR vendor will test multiple breach scenarios to help leadership and IT staff understand and practice the plan – as well as their roles in responding to threats. Testing also helps companies shore up vulnerabilities.

These important tabletop exercises should be completed at least once a year and should include the participation of the IR vendor. Lessons learned are fed back into the life cycle of the IR plan to create an ever-evolving and maturing plan. And it doesn’t take much imagination to comprehend the benefit of going into a breach with a team you have planned and practiced with consistently over time.

If the target is to hire an IR vendor so you can check the box, comply with a regulation, or keep up with the proverbial Joneses, you may be left wanting. An engaged IR vendor helps with prevention. And if a breach does occur, going into that crisis with someone who thoroughly understands your systems and data, and that follows a shared and practiced tactical course of action, paves the way to the best possible outcome.


Looking for an IR partner that can help you design, implement, and lead your cyber crisis response strategy? Our Security Consulting Services can help!