top of page

A Look at Incident Response Through a Jaundiced Eye: Why You Might Be Skeptical of Your IR Vendor’s Intentions



It’s time to play everyone’s favorite game… Musical Chairs!?!? 

There has been a bit of a logjam for the past 12-18 months in the world of Chief Information Security Officers, no one was giving up their seat. The average tenure for a CISO is normally 24-36 months, meaning 25-33% of them should be moving any given year. But that stopped during 2022 and 2023. No one wanted to be looking for work during a downturn. 

Well, all that is over now. We know of at least 3 new roles being filled that we can’t talk about; and a hat tip to Brad Arkin who started his new role, Chief Trust Officer, at SalesForce. If you want to try to steer the massive ship that is Cisco then reach out to your recruiter. 

Now, let’s discuss the Incident Response (IR) market. For those who aren’t nerds, IR is the team one hires to investigate once a security team has discovered a breach; don’t worry, we love nerds here. They investigate what happened, help kick the intruders out or negotiate the ransom, and then clean up the systems and get the company back on their feet. They are the firefighters of the security world. 

In the past, when a breach happened a company would hire a firm to help with the response. Over time, organizations started to pay a retainer so that they could ensure a timely response from their vendor. After a while, some IR teams started asking for zero-dollar retainers, without the SLAs, essentially getting the paperwork out of the way. 

While this started out as work done by independent consultants and services firms, the market has increasingly consolidate with firms like Google have gotten into the IR game. But why?

In a discussion with a highly influential industry insider they made it clear that it’s like everything else, follow the money. 

It turns out that security products are most likely to be dislodged and replaced after an incident, and the IR team has a lot of influence over what products get replaced and by whom. This led to big product companies offering IR services; essentially to protect their product business. 

They can waive the retainer, bury the cost in the annual software license and fees, and even require the paperwork be done to allow them to do the work, such that they are never found to be the responsible party for a hack. That’s not the official line of course, but it’s a good bet that the company’s IR team isn’t going to point the finger at their own product. 

Our contact thought that when we look back on this as an industry people will say that it’s a clear conflict of interest. But would it even be cybersecurity if there weren’t a few of those in the conversation?

On a sadder note, Schmoo Con has announced that 2025 will be their final year. While there are many respected Hacker Cons Schmoo, founded by Heid Potter and held in DC an annual favorite and holds a special place for many. Tickets to the con are notoriously hard to get, they sold out in under 10 seconds this year, and next year they will be even more coveted. So, good luck. Make sure you are there since it will be the end of an era. 

Below are a few of the articles that caught our attention this month. Moreover, we’ve inserted one or two sentences in italics, summarizing each article’s importance. We hope you enjoy and appreciate the material.


Here's a curated list of things we found interesting.

The Fastest Growing Software Sectors in 2024

Cybersecurity remains the fastest growing category in software. Investor and Blogger Tom Tunguz brings the data.

The fastest growing software category in the public markets is security. Data follows.

The Modular Method of Mahjong

How can Mahjong teach you about cryptography? Find out! This is a fun way to learn a little math that’s important to codes and ciphers.

Keeping track of the game is an exercise in the useful arithmetic of remainders. So is reading a clock.

Microsoft Executive Emails Hacked by Russian Intelligence Group

It will come as no surprise that state actors are still targeting America’s tech giants. This time it was Microsoft in the crosshairs, but at this point we just assume that everyone has been compromised. 

Microsoft said it detected a cyberattack carried out by the same Russian intelligence group responsible for the broad-based SolarWinds hack in 2020.technique.


Deals that caught our eye.

Hewlett Packard Enterprise to Buy Juniper Networks in $14 Bln Deal

Okta agreed to acquire Spera Security in a move to broaden Okta’s Identity threat detection and security posture management capabilities. The deal was reportedly done for between $100MM and $130MM.


Lytical Ventures is a New York City-based venture firm investing in Enterprise Intelligence, comprising cybersecurity, data analytics, and artificial intelligence. Lytical’s professionals have decades of experience in direct investing generally and in Corporate Intelligence specifically.


bottom of page