Kroll Conversations: Meet the DFIR Experts

A cyberattack is one of the most devastating experiences a company can go through. Yet for Jaycee Roth and Justin Harvey, being there for organizations when the worst happens is business-as-usual. As part of the Digital Forensics and Incident Response (DFIR) team within Kroll’s Cyber and Data Resilience business, their guidance and support ensures companies can recover fully from the disruption caused by a security incident.

Jaycee explains: “Day in, day out, I help organizations going through live cybersecurity incidents - anything from a business email compromise to a ransomware event to an insider threat network intrusion. My job is to bring order to chaos. I give the affected company’s internal tech teams a starting point and a clear sense of direction. I also advise the leadership team on what has happened, what’s going to happen next and how long it's going to take to get them back to some semblance of normal. Then I work with the company’s legal counsel to get them the answers they need.”

“As an Engagement Manager, I’m the integral link between the investigation, everything to do with Kroll and the client on a nearly daily basis,” says Justin. “It’s my responsibility to scope new incidents as they come in and make sure we can be successful in handling them. Then I kick the project off and work with incident examiners. Alongside others, I undertake analysis of the data and brief the client about the results.”

 

The Human Factor

While the demands of the role are high, so are the rewards. For both Jaycee and Justin, their work at Kroll is the culmination of a long track record of helping to safeguard organizations and the people who rely on them. This is reflected in Jaycee’s extensive experience of handling cyber investigations, and of leading and managing a team of incident responders and digital forensic analysts. Justin has run high-profile, large-scale incident investigations on virtually every continent—apart from Antarctica—and is a subject matter expert on cyberespionage, cyberwarfare and cybercrime, having provided commentary to BBC News, Reuters, Newsweek, New York Times, Washington Post and many others.

The role is highly technical, but its rewards are rooted in its impact on people. “For me, the key reward is definitely the human aspect,” comments Jaycee. “There is understandably a very human response to cyber incidents. I've known people who have been working for a week straight and barely slept while trying to fix the mess. The stress levels are high. People are up in arms after an incident. It's so rewarding to watch them go from that to the end of the process when they’re thanking us, wishing us the best and telling us they couldn't have done it without us.”

 

The Right Resources at Hand

In such a high-stakes job, having Kroll’s particular mix of expertise and proprietary technology to draw on is crucial. “One of the reasons I came to Kroll is that it sets an industry standard,” says Jaycee. “We have homegrown tools that make us really efficient. With so much collective knowledge built into our toolkit, we can complete investigations quickly and accurately. We work with some of the world’s leading experts behind these tools and we hire some of the smartest and best in the world to work on cases.”

As Justin explains, all of this provides a vital advantage in the process of bouncing back after an incident: “We have a very quick time to value because we have a lot of automation on the back end, created by our teams over the past decade, and we have ways to deploy our tools and get data quicker. That means we are faster to analyze and get a conclusive answer back to the client. Our short time to value is greatly enhanced by our automation, which frankly I was really amazed to see how much we had of when I first started at Kroll. It's pretty awesome.”

 

A Well-Oiled Machine

While great teamwork is valuable in everyday life, it is fundamental in times of crisis. As Justin points out: “Our normal day is our clients’ worst day and, in some cases, lives are actually at stake. The support we get from the Kroll team helps us stay on track. Our collaboration across the business is some of the best I've seen: very client-first, client-forward; even when operating under difficult situations as we often are.”

Having the right tools and people in place is crucial but Jaycee and Justin also highlight the role of the wider Kroll team in supporting clients toward recovery. “Kroll is unique in the sense that we offer the full lifecycle,” says Jaycee. “It’s usually just a case of reaching out to any of the teams we need help from, such as our sales team for clients who want to know more about services like Kroll Responder.”

“Kroll feels different to other organizations in the sense that it seems like we're aligned on mission and purpose,” remarks Justin. “Our whole reason for being here is to provide value to our clients and I see us carrying out that mission from the CEO on down with mutual respect and a sense of urgency and transparency. I think that the support system we have at Kroll is very rare in our industry.”

 

Change Is the Only Constant

With threat actor approaches and groups evolving all the time, what lies ahead for DFIR? Jaycee is quick to emphasize that being prepared for change is a constant in the life of every DFIR specialist: “The landscape is always shifting so we’re used to being prepared for the unknown. Staying up to speed with changes in technology is critical. We're pretty familiar with having to reinvent and change how we do things.”

Justin adds: “At Kroll, we’re constantly thinking about emerging issues, alongside serving clients. For example, how will threat actors weaponize certain technologies and how can we ensure we are ready for that? By identifying answers to these types of questions now, we’re making sure our customers are better prepared to face the security challenges that lie ahead.”

Discover our DFIR Services