less than 1.6 working with manage security service providers or MSs Peas.
You mentioned before that we were going to talk about this more in depth. Um, here it is. So in the objectives for this session, we'll talk about understanding the different operating models oven I Our team, including some hybrid models.
Second, will discuss the impacts of regulations and cyber insurance on IR teams and organizations. And third, how racy, which we were just introduced to last session, can be used for MSs Pisa's Well.
So let's talk through some hybrid and external resource is that certain may leverage.
A lot of organizations are in fact, moving to a hybrid model because they just can't staff enough. Resource is internally or frankly, can't afford the incident response capabilities that they might need to keep them in house, as we see in increased complexities with incident response
and just the difficulty in recruiting and retaining staff. This is certainly a model that is appetizing to a lot of individual companies and organizations.
We also see organizations have an incident response retainer with an outside company. So you think of the large companies that do this regularly, like fireeye and stroke straws. Friedberg and other organizations that do incident response Deloitte and KPMG, for example,
they may have every trainer with them. There's also a lot of small and medium size businesses that specialize in incident response.
They also have retainers available
now. Cyber insurance is becoming very popular and also oftentimes requires a retainer. So you may see cyber insurance for companies telling them they have to have a retainer with an outside organization. And in fact, I've seen cyber insurance policies that require the company to use
a, um requires the company getting the policy to use an instant responder company
that they choose. So the cyber insurance company may have a list of five different companies that you could go to and get a retainer with. So that is something to just keep in mind. Also, without a retainer, though, organizations find it really difficult to get an I R consultant or a team on site.
During an incident without any previous relationship,
these companies were busy. They are frequently booked out, and you don't necessarily want to wait a couple of weeks to get somebody on site. If you can find somebody that can come in, then you're going to have to quickly go through all the contracts. The legal department have to review them, your CFO,
and it's going to cost a lot of money to just get somebody with no relationship in the door
to do some sort of an incident response engagement for you.
So we'd looked at racy before and on this example on the slide. You see how you might be able to use it with external firms as well. So on the left hand side, you would add roles for the MSs P and specifically say, under our contract or service level agreement with the MSs p
their response before in point detection and response.
Digital forensics, vulnerability, scanning or whatever it may be. But it's really helpful to just visually have a single page that shows what you're on the hook for. Internally. Vice, what you're MSs P is being paid to dio.
Make sure that racy is used also to deconflict with service low level agreements or s. L. A's and contractual requirements. So it makes it really clear if you read through the contract and it says the MSs P is doing these things and you put that on there,
then you might share that with the MSs Pia's well, and make sure that everybody's on the same page and you have concurrence from all involved, and it also helps to if something goes wrong, then you can show your internal leadership. This is what they do. This is what we dio,
and it was either our fault or was their fault, and we're working through it. But it is helpful just to know
what those agreements are and have them visually available.
So with MSs peas,
true or false, many cyber insurance companies require an IR retainer.
The answer to that, remember, is true. A lot of cyber insurance policies will in fact require you to have a retainer sometimes if you have an M SSP that will also include access to their Incident Response team. But you just want to make sure it meets the requirements of the cyber insurance policy.
Second quiz question.
Why would an IR manager want to use racy for em? SSP contracts?
A. It provides a way to clearly identify the roles and responsibilities of the organization and the MSs P
B. Because it's required by law,
see it may help guide decisions in accordance with S L. A's and contractual language.
D. None of the above
or E. Both A and C are correct.
All right for this one, it's e both a NCR correct. It does help clearly delineate the swim lanes and roles and responsibilities,
and it also may help guide organizations as you look through the SLS and contractual language.
So in summary, with this module,
we have looked at some different operating models. Oven I our team, including hybrid models.
We looked at how racy can be used with MSs peas and also the impacts of regulations and cyber insurance on incident response teams and organizations.