I stumbled across the role of lawyers in cybersecurity while researching how cyber insurance shapes incident response. It turns out that insurers push their policyholder to allow law firms to lead incident response, as pictured in the above figure, mainly to protect client-attorney privilege. Further, insurers concentrate incident response work among a handful of law firms. One firm, Mullen Coughlin, partned with over 80% of the insurance firms in our sample, which can be seen in the following figure.
A listing is equivalent to a partnership.
We term this “Incident Response as a Lawyers Service”. We assemble preliminary evidence in an article with the same title. You can also watch my talk at FIRST:
I have an active research interest in collecting empirical evidence about how this impacts technical incident response practitioners (e.g. metrics like time to contain incidents, investigation documentation etc). Please reach out if you have a perspective on this.