Lesley Carhart 
I don’t understand companies that buy a credible incident response retainer and then are terrified to activate it, even though the hours are paid for and a rate and SLA are guaranteed. When in doubt, activate your retainer! Get a fresh set of eyes! You don’t just buy the retainer for the sake of your insurer and regulator. You have specialist incident responders on call to help you and help make things better! Any legitimate company will just use the minimum required hours for the contract and situation. It isn’t a magic red button where the incident isn’t real until you press it… #infosec #DFIR
That Anonymous Coward@hacks4pancakes
Humans. (chuckle)
Many of them did get it just to appease insurance/regulations.
It IS a magic red button that makes it real.
- they have to admit its something they can't handle
- they fear more costs in the future (see ppl not going through ins to fix car accident)
- they are sure they can fix it & not waste the experts time b/c this problem isn't THAT big
Breaking human nature is hard.
Need clauses that say if you try to go it on your own we're out.