Problem solve Get help with specific problems with your technologies, process and projects.

Incident response services: A five-step program for security VARs

A security incident can shake your client's faith in the network you helped secure. In this tip, learn about incident response and how to maintain a healthy relationship with your client before, during and after the security incident.

At one point or another, most security resellers will get "the call" from an otherwise gruff and obstinate client desperately seeking help with a security incident. Providing incident response services in such a scenario can help you solidify a relationship for years to come. Better yet, preparing clients before an incident can help ensure an efficient recovery you'll both be grateful for.

Remember how hard it is to pick up the phone in the middle of a crisis and ask for help. If a client calls you for help with a security incident, they know how serious it is. The client understands their job is at stake and is looking to you to resolve their issue.

The problem is that most security professionals (your clients) work at the church of "what have you done for me lately." Their senior executives don't really understand what the security folks do, with the exception that they realize they spend a lot of money on security. Basically, your clients are only as good as their last incident, even if they have years of exemplary performance. The reality is that your customer's job security is dependent on how they handle the incident.

The good news is that as a VAR, you are in a great position to help the client before, during and after a security incident. By taking a long-term view and accepting the inevitability of an incident, you can position the client to react faster and effectively to contain the damage of an incident, as well as communicate the issues to their senior management. Ultimately you can make sure the client lives to fight another day and buy additional products and services from you for years to come. Sounds like a win-win situation to me.

Here's a five-step program for you to both do yourself and work with your client on to ensure efficient and effective security incident response.

Step 1: Have your own house in order

First and foremost, you need to lead by example by having a documented and well-practiced security incident response plan in use within your business. As a model citizen, you can relay your experience directly to the customer. Having a generic template for an incident response plan is also a good thing to have to kick-start the customer's efforts. Finally, you can make a shekel or two by structuring an engagement to help the customer build out their incident response plan and process. Doing well by doing good (for the customer) – it doesn't get much better than that.

Step 2: Practice the plan quarterly with the customer

Practice makes perfect, so as part of your engagement, you should simulate incidents and practice the incident response plan with the customer. The last thing you want to find out during an incident is that the plan you helped develop stinks. Make sure the response is scripted out and practiced. It will pay dividends for you and the customer for years to come.

Step 3: Develop some simple security forensics capabilities

Security forensics is a highly specialized field. For significant incidents, it's best to bring in the experts. That being said, you can learn some simple things to add value and accelerate the security incident response process. If only to accelerate the containment of the damage, you need to do some simple analysis.

Take some security forensics courses and learn enough to be dangerous. Learn evidentiary requirements and chain of custody rules. Practice your trade, go to shows like Black Hat and DEFCON to learn from your peers and give customers the sense that you can help them immediately. Your clear head and confidence is the intangible that can help the customer get through the crisis.

Step 4: Know whom to call

You also need to get to know some security forensics experts who will take your call when a security incident goes down for real. You can't predict when incidents will happen and world-class forensics folks are in high demand. You don't want to cold call their office when your customer's hair is on fire.

It's also a good idea to get to know the local law enforcement staffers that specialize in cybercrime. These folks may be local or with the FBI or Secret Service. Take them out to lunch, get involved in InfraGard and other groups. These folks can also help in a pinch and you want them to be familiar with you.

Step 5: Work with the customer on the post-mortem

Lastly, don't miss out on the opportunity to help the customer understand what happened and put in place safeguards to make sure it doesn't happen again. Those that forget history are doomed to repeat it, so make sure you don't skip the post-mortem. There is a tremendous amount you can learn by candidly assessing a security incident and the incident response plan.

Mike Rothman

About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at, read his blog at, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Dig Deeper on MSPs and cybersecurity

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.