Lesley Carhart 
I don’t understand companies that buy a credible incident response retainer and then are terrified to activate it, even though the hours are paid for and a rate and SLA are guaranteed. When in doubt, activate your retainer! Get a fresh set of eyes! You don’t just buy the retainer for the sake of your insurer and regulator. You have specialist incident responders on call to help you and help make things better! Any legitimate company will just use the minimum required hours for the contract and situation. It isn’t a magic red button where the incident isn’t real until you press it… #infosec #DFIR
No@hacks4pancakes I always assumed it was one of those unaccounted for psychological quirks - a "corporate/organisational ego" which is damaged by needing assistance; "We are fine until we have to ask the grown ups for help".
Esp. If there is an in house response, they'll have to admit it is beyond their capability and it probably knocks their pride.