Electricity, water, internet… and incident response. In a threat-glutted 2024, incident response (IR) services are practically a utility, but unlike the providers of the former, these services don’t come from some form of a monopoly. In fact, security leaders have a vast array of choices of highly competent providers, 14 of which Forrester evaluated in The Forrester Wave™: Cybersecurity Incident Response Services, Q2 2024.

Are all these providers able to help security leaders on their worst day? Yes. The digital forensics and IR capabilities of each provider are solid. But IR is a lifecycle — from preparation and simulation to post-incident recovery, support, communication, and transformation. This life cycle is supported by an ecosystem of partners and watched closely by three key constituencies: customers, cyber insurance carriers, and regulators. Choosing the right cybersecurity incident response services (CIRS) provider comes down to:

  • The strengths and weaknesses of your program and people. Incident readiness and resilience is, in the eyes of those three key constituencies, just as important as incident response. To get or maintain cyber insurance coverage, for example, organizations must demonstrate overall program maturity and attest to the IR skills and capabilities of internal teams. Look for a provider with a thorough onboarding process that helps them gain a detailed understanding of your environment. The insights gained through onboarding also help them help you use contract, retainer, or engagement time wisely for incident preparation and crisis simulation activities to fill program gaps and meet customer, carrier, or regulatory requirements.
  • The influence of counsel and carrier. From the perennially underskilled to the most mature, all security teams need outside help in a time of crisis. And when it’s time, outside counsel and CIRS providers are the first calls, in that order, security leaders make to ensure every step is covered under attorney-client privilege. Law firms specializing in breach coaching have their favorite providers, as do cyber insurance carriers. In the past few years, CIRS providers courted these IR influencers and added talent with regional, legal, and regulatory expertise. This is particularly helpful given the ever changing breach notification landscape. They also developed ties with carriers beyond panel participation to include posture assessments and attack surface discovery scans during the underwriting and claims management process to speed outcomes for all involved. Be sure your provider is well liked by these influencers and well versed in meeting their needs in addition to your own.
  • The provider’s ability to keep pace with bad actors. To meet retainer- or contract-based response times and keep pace with evolving attacker techniques, many CIRS providers are investing in innovation and initiatives focused on speeding all stages of the IR lifecycle and automating more time-consuming or rote processes like evidence collection. They’re also investing in training for responders and supporting staff to ensure handoffs between teams and communication with stakeholders are smooth and consistent across geographies in a global delivery model. Regardless of the attack or breach type, your provider should be your primary partner and main point of contact throughout the IR lifecycle.

Your CIRS provider is critical to timely, thorough, and defensible breach response. This is a market that every security leader should keep up with, so check out the full report for more detail.

Forrester clients can schedule a guidance session or inquiry with me to discuss your needs and the providers evaluated in our latest Forrester Wave™ evaluation — or those included in our broader Landscape overview of incident response services.