Incident Response Teams: In-House vs Outsourced

Incident response team-inhouse or outsource

How prepared is your organization for a security breach?

That gap in time between finding out you’ve been breached and selecting and onboarding an incident response (IR) team can cost your organization time, money, and brand reputation.

You can improve your security posture, protect your assets, reduce incident response time, and minimize breach impact by adding an IR team as part of your security operations.

What Is an IR Team?

An incident response team also referred to as a computer security incident response team (CSIRT), is a cross-functional team that responds to and mitigates incidents on behalf of an organization.

There is some overlap between the Security Operations Center (SOC) and IR teams, but IR teams are typically more focused on incident management and response duties.

What to Consider When Commissioning an IR Team

Organizing an IR team means determining who will be on the team, what skills you need in those individuals, their roles and responsibilities, what tools, training, and facilities you need to support them, which functions to outsource, and where your team members will be located.

As you begin to implement your strategy, you reach a crossroads: is it better to try and build an in-house IR team? Consider outsourcing? Or take a hybrid approach?

Before deciding on how to structure your IR team, take a pause, and begin with the basics: developing an IR plan, which includes a six-phase IR lifecycle, as follows:

The Incident Response Lifecycle


This phase lays the foundation for all your IR planning, including:

  • Ensuring your employees are properly trained regarding their roles and responsibilities;
  • Running through IR scenarios via mock breaches to test your plan; and
  • Ensuring proper funding of your IR plan, including training, tools, staff salaries, and more.


This process determines whether or not you’ve been breached, answering key questions such as:

  • When the incident occurred;
  • How it was discovered and by whom;
  • What areas were impacted;
  • Scope of the breach;
  • Impact on operations; and
  • Source of entry.


Containing the breach reduces attacker dwell time and minimizes further damage. Issues to address as part of this phase include:

  • Identifying short- and long-term fixes;
  • Looking at whether malware has been quarantined from the rest of your environment;
  • Security patches;
  • Updates; and
  • Credential reviews.


The eradication phase of the incident response lifecycle involves removing the cause of the breach along with patching and updating systems.


The recovery phase involves:

  • Getting your systems back up and running;
  • Patching and testing systems;
  • Implementing monitoring of systems; and
  • Implementing tools to prevent similar attacks.

Lessons Learned

During the final “lessons learned” phase, your incident response team performs analytical tasks, such as:

  • Analyzing and documenting key learnings from the incident;
  • Determining what worked and what did not work; and
  • Identifying what can be done to strengthen systems to prevent future attacks.

Specialized Skill Sets Required by Incident Response Teams

To build an effective incident response team, you need a diverse group of individuals with very specific skill sets to manage each of these phases.

You need a team with deep experience in forensics and investigative work (think: former FBI agents), in addition to deep reporting and technical expertise, such as the ability to reverse engineer malware.

For more sensitive investigations, you need legal, HR, compliance, and insider threat expertise including evidence seizure, chain-of-custody, secure storage, forensic imaging and analysis, investigative reporting, and courtroom testimony.

Finding individuals with these skill sets is an industry-wide problem, as most professionals’ experience does not go deep enough.

In-House Incident Response Teams Can Be Prohibitively Expensive

However, the biggest hurdle in building an in-house IR team is cost.

Maintaining budgets for training, selecting and licensing the right tools and technology, and providing secure storage of evidence – on top of the high salaries you’ll need to pay as well as issues with retaining that talent – makes building an in-house team cost-prohibitive for most organizations.

Benefits of Outsourced Incident Response Services

Based on the very specific needs of an IR team, outsourcing should be a top consideration.

When outsourcing, you’re not only taking advantage of the expertise that resides within the service provider’s own talent pool. You’re also gaining expertise from specialists who are putting those skills to use every single day, creating a network effect of knowledge from which your organization can benefit.

The cost? Typically far less than you’ll pay for an in-house team.

Companies usually outsource tasks if they are more cost effective and can produce consistent results. Outsourcing incident response functions ensures a company will get consistent, reliable results if an incident occurs. Many cybersecurity jobs go unfilled, because the pool of qualified applicants is currently smaller than the amount of jobs available. Thus, finding the right people for an in-house response team can be time consuming. If an incident occurs while waiting to staff those positions, a company is left vulnerable. Outsourcing means a company could be protected at a much faster rate.

When Should Incident Response be Outsourced?

It is time to consider outsourcing your incident response team when it is cost efficient, if you need to assemble a team quickly or if you have a high-risk infrastructure. Creating an internal incident response team is time consuming; finding qualified applicants can take an extensive amount of time. Once you hire the team, then you have to train them on the company’s infrastructure and the current incidence response plan.

Depending on your budget, you may only be able to hire a limited amount of people. Outsourcing means you pay a set fee and you have access to that company’s team 24/7. You are not directly responsible for paying this team’s benefits or salary. You pay a fee for the service. This could be the most cost-effective approach depending on your company’s size and needs.

If you are a company that collects sensitive information about your customers like social security numbers or financial information, you are a hacker target. It is important to quickly assemble your incident response team and reassure your customers that their information is safe.

Hiring an external team means tapping into their expertise. Managed service providers (MSSPs) may not only bring experience, but also insight into potential flaws in your current incident response plan.

What Factors Should be Considered When Selecting a MSSP for Incident Response?

When considering a MSSP, it is very important to know the past performance history of the company. Be sure to answer the following questions when shopping for a provider:

  • How long have they been in business?
  • How many incidents have they responded to in the past?
  • What was the response and success rates of those responses?
  • Can they provide estimates of money they saved other companies by mitigating threats?
  • What is the education level of the staff?

These are all important questions to ask when considering a MSSP.

What Are the Advantages of Outsourcing Incident Response Functions?

Again, the biggest benefit of outsourcing incident response is the potential cost effectiveness of not having to pay full-time employees salaries and benefits. If a company has a great monitoring system in place, you will only need to pay the MSSP to keep a connection to that monitoring service, in addition to actual breach response services. You may have to pay a contract fee to have the company on your service, but the big costs only occur when an incident happens. Reducing overhead is an advantage for any company of any size.

Having an incident response team adds a certain level of insurance. Hiring an outside team for this job means they are a licensed and insured company. They are motivated to quickly respond to your incidents and mitigate threats because they may have guaranteed a certain success rate. If they fail and cost your company more money by not mitigating threats quick enough, they may actually owe you money instead. Plus, an outsourced company needs your great review in order to stay in business. An in-house team does not have the same incentive.

What Are the Disadvantages of Outsourcing Incident Response Functions?

Some of the negatives associated with outsourcing are creating additional threat vectors and reduced operational control.

The biggest disadvantage is granting an outside entity access to your company network and potentially proprietary information. This adds a certain level of risk. Giving someone external access creates infrastructure vulnerabilities. If this outside entity gets hacked themselves, those cybercriminals could potentially access your network through the hole created in the third-party’s breach.

Insider threat is a term to describe employees and other personnel being a threat to the security of the company. Employees can have access to sensitive company information. If they felt wronged in any way, they could release that information to the competition or the public. Outsourcing creates a bigger pool of potential insider threats since they will now have access to your network.

Leave a comment