Incident Response: Preparing for the Inevitable

 

 

It is time we talked about incident response in a way that reflects the reality leaders are operating in today. Not the sugar coated, buzzword soaked fantasy land some vendors like to sell, but the actual landscape that organisations have to make decisions in. Cybersecurity incidents are not mythical creatures that only hunt other people. They are not reserved for giant corporations, government departments, or whoever is currently in the headlines. They are an inevitability. You can accept that, plan for it, and build resilience, or you can keep wishing really hard that your firm will be the magical exception. If that is your strategy, I have a bridge in Sydney I would love to sell you.

Here is the uncomfortable truth. In cybersecurity, it is no longer an if, but a when. That single concept is what separates cybersecurity from cyber resilience. Cybersecurity attempts to prevent the incident. Cyber resilience accepts the reality of the world you operate in and ensures you can bounce back quickly when things go sideways. And they will. Pretending otherwise is like insisting Brisbane will never flood again or that humidity does not exist here. Lovely sentiment. Not aligned with reality.

So, what do you actually need in place to handle the inevitable? Plans. Real ones. Incident response plans, disaster recovery plans, business continuity plans. They cannot be decorative documents living their best life in a forgotten SharePoint folder. These should be living, breathing operational documents that get tested, reviewed, updated, and actually used. If you have not put your plans through a tabletop exercise in the last year, you do not have a plan. You have a security themed screensaver.

And speaking of tabletop exercises, let me be very clear. These exercises should not be box ticking activities based solely on whatever is written in your plan. You need scenarios that force your people to learn how they respond, how they communicate, and how they manage multiple crises merging at once. Because that is what actually happens. Ransomware does not politely wait for your payroll system to finish crashing before it strikes. If your practice lacks pressure, uncertainty, and friction, all you are doing is rehearsing theatre, not preparing for reality. Anything less than that is window dressing, and window dressing is about as useful in a cyber crisis as an umbrella made of tissue paper during a category five storm.

Decision making under pressure is a skill. Let me repeat that for the people scrolling quickly. Decision making under pressure is a skill. It is not innate. It is not evenly distributed. It is absolutely not something you suddenly develop in the middle of a breach because the stakes are high. Without practice, without drills, without a decision making framework, you will not rise to the occasion. You will default to your level of training. And if your level of training is one half remembered cyber awareness module from 2021, your organisation is in for a very long week.

When I served in the Navy, we drilled constantly. Every single day at sea, we ran an exercise. Fire. Flood. Toxic hazard. Electrical failure. Man overboard. Missile strike. It was relentless. And you know what? The day something went wrong for real, we were good. Not because we were heroic. Not because we had superhuman reflexes. But because we had rehearsed the response so thoroughly that the process was muscle memory. Slow is smooth and smooth is fast. Your goal is controlled speed. React fast, but react right.

This is exactly why pre agreed thresholds, authorities, escalation paths, and communication plans are so critical. In the middle of chaos, your brain is not your friend. Rational, complex thought is difficult when adrenaline is running the show. A framework provides certainty. It anchors the room. It keeps people focused on the next correct action instead of the thousand possible actions.

And let me address something I see way too often. Your IT provider, or your managed services provider, is not your incident commander. They may be excellent at what they do. They may be the heroes who keep your systems running. But that does not automatically make them skilled in cyber incident leadership. That is like asking your GP to perform brain surgery. Sure, if it is the only option between life and death, you might take that gamble. But it is not their skill set. And if the default response during a cyber incident is to dump the responsibility on your IT provider, what you actually have is a failure of governance. Incident response is a leadership function, not just a technical one.

Communication is the most underrated part of incident response, and the one most organisations get wrong. Communicate. Then communicate again. Then communicate more. Then repeat. Staff, customers, regulators, partners, investors, insurers, and in some cases the families of staff if the incident affects safety or wellbeing. If you do not control the narrative, someone else will, and I promise you they will not be as kind or as accurate as you would prefer. Have communication plans in place before things go bang. That includes templates, approval pathways, spokesperson assignments, and regulator notification procedures.

When an organisation has trained, drilled, documented processes and empowered decision makers, it can take a hit and keep moving. It can recover. It can protect reputation. It can control cost. It can demonstrate that it is a mature, responsible business. The ones who have not prepared do something else entirely. They blame the hacker. They argue about whose fault it is. They dig through backups praying the data is intact. They second guess every action. And they lose days, weeks, sometimes months of productivity because nobody ever stopped to prepare.

One of my favourite parts of my job is building and running cyber resilience and business resilience exercises. It is business flavoured Dungeons and Dragons, and I say that with genuine affection. These exercises are immersive, challenging, and eye opening for leadership teams. They reveal blind spots no audit ever will. And the aha moments you get from executives, when they realise what they would have missed in a real incident, are worth their weight in gold.

Every organisation should be doing these. Not because some standard says so, but because resilience is cheaper than recovery. If you are serious about protecting your business, your people, and your customers, you need to test your ability to respond. You need to know what will break, who will freeze, and where decisions will bottleneck. That knowledge is what turns chaos into control.

If your organisation has not run a meaningful incident response or business continuity exercise recently, now is the time. Reach out for a conversation. I am always happy to walk you through how these sessions work and how you can build resilience long before the inevitable happens.