If you squint, you can see the beginning of the end of the
golden age of incident response billing. I’ve seen this movie before and I know
how it ends because I lived through the golden age of eDiscovery billing. Incident response will no more go away than litigation
requiring the production and review of electronic documents, but the current billing
gold rush won’t continue indefinitely.
Image by Brigitte Werner via Pixabay |
I left law enforcement and entered the private sector around
the time electronic discovery was really gaining steam and
interest in the legal world. This
resulted in legions of eDiscovery consulting outfits of various sizes and
abilities getting into the game and charging confiscatory prices for their
work. The billing was such during this
period where it took nothing for litigation to result in some eDiscovery
consulting outfit making six or seven figure sums for their work. Law firms and their clients eventually rebelled
against being ridden like ponies off into the sunset by the eDiscovery industry
and started to bring as much of the work in-house as they could get away with to
avoid expensive outsourcing. Electronic discovery cost containment became a
very important buzzword in the legal world.
The gold rush also brought in more competition and interest from
giant consulting firms who could offer competitive pricing and performance
because of their economies of scale and ability to invest in technology and utilize
their existing infrastructure. This resulted in quite a few small to medium
sized eDiscovery firms being bought up, merging with other firms, or just going
out of business entirely. It wasn’t that
eDiscovery went away or that it suddenly became inexpensive, but the market
eventually worked things out where the larger and more efficient firms could
offer better speed, cost, and quality to the legal world and their customers.
We’re going to see something very similar in the incident
response world. We’re still very much in the information security version of
WWII’s Happy Time
where the field of battle still greatly benefits the attacker. That isn’t changing anytime soon and maybe it
never will change. I wrote about this information
security happy time in 2011 and very little has changed since then. We just have to look at the headlines to see the
near constant reports of major breaches in all sectors of business and government.
These successes are going to continue to result in high demand for incident
response services and these services are not cheap. Many a fortune has been made in recent years
by sharp people who set up incident response consulting practices and billed
themselves into a king’s ransom. The costs associated with a breach can be immense
due to the costs of the technical response itself, resulting litigation, paying
for identity theft protection if personally identifying data was involved, and everything
else associated with recovering from a breach including potentially rebuilding
all or some of the impacted organizations information technology infrastructure.
These costs have created a growing cyber insurance market
where organizations are making cyber insurance part of their risk management
process and basically paying the insurance companies to help shoulder the risk
for them. The key rule to understand in
an arrangement like this is the age old one that says that “He who pays the
piper calls the tune.” When a breach
happens, the insurance companies will be the ones dictating the response since
they are the ones shouldering the cost. These firms will have already entered
into agreements with trusted incident response providers to provide their
services at pre-determined billing rates.
The insurance companies will be driving cost containment in this area because
their financial health will depend on it.
This will put an end to the current golden age of incident response
billing which will put downward pressure on the profits of organization
providing incident response capabilities and the salaries of those who work in
those organizations. I expect that we’ll see similar consolidation on the
industry where it will be hard for smaller incident response firms to survive
unless they develop practices based on providing affordable response services
to smaller entitles that might not have insurance and the resources to pay
expensive incident response fees. That said, there will still be plenty of
money to be made in this area and it’s still going to be a great industry to be
in if you are interested in developing the incident response skills that will
be in demand for a very long time to come.
In the short term, the gold rush is going to continue because
the insurance market is still developing in this area. The sun will start to set in the medium term
as the insurance industry becomes more mature in this area and an increasing
amount of breach victims are covered under some form of cyber insurance. I think we’ll also see legislation helping
drive some of the cost containment where organizations that take certain
proactive steps such as being compliant with some information security standard
or another will have their liability capped and that will also help drive costs
down. In the long term, stick a fork in
the golden rush that is the current incident response market. It will be done.