Page 334 - Cyber Defense eMagazine September 2025
P. 334
consistently struggle with fragmented communications and limited visibility -- issues that inflate incident
timelines.
The current IR crisis starts with the way plans are designed and executed. You’d be shocked at how
many static documents or spreadsheets I’ve seen companies try to pass off as an IR plan. These are
documents that don’t integrate into actual workflows. These files will sit on a server and will help a
company pass audits, but that’s about the extent of their utility. They’re not doing much to support
response teams in the moment. In real-world incidents, teams need more than just a set of instructions.
They need a dynamic, shared environment where work is tracked in real-time, responsibilities are clearly
defined, and progress is visible across the organization. Without that as a baseline, efforts will inevitably
become siloed and inconsistent at best (and counterproductive at worst). When the left hand doesn’t
know what the right hand is doing, critical tasks will fall through the cracks.
Plans are Not Preparedness
Another issue is the false sense of confidence that traditional IR plans can create. Organizations conduct
tabletop exercises that are, essentially, storytelling sessions. Participants gather in a room (or on Zoom),
discuss a hypothetical scenario, and check a box indicating that the plan was tested. However, real-world
incidents don’t unfold in two hours. They evolve over days or weeks. They require coordination across
security, legal, IT, HR, line-of-business executives, and communications teams.
They demand live decision-making, systems access, and continuous updates – and that surely doesn’t
fit neatly into a pre-scheduled two-hour window. They can (and will) take place at the worst possible time:
when your CISO is sleeping, when your General Counsel is on vacation, or during your busiest time of
year. A tabletop won’t tell you whether half your team lacks access to key tooling, or whether the legal
team and the SOC are aligned on notification timelines. You only discover those gaps when you practice
with real systems, fundamental roles, and real timelines.
Modern incident response requires a shift in mindset. Static documentation must transform into active
coordination. Effective response requires a dynamic command and control approach. You have your
primary objective (neutralizing and eliminating the threat). Still, dozens of side quests must be managed
along the way: security analysts investigating alerts, IT staff remediating systems, legal and privacy
teams handling notification requirements, executives assessing the business impact, and employees on
the front lines managing the company’s reputation with customers. The list goes on.
These side quests branch out unexpectedly, they loop back, and they often require different teams to act
independently while staying aligned. For that to work, there needs to be a common operating picture: one
place where tasks are assigned, updates are logged, decisions are documented, and everyone involved
can see the full scope of what’s happening.
Yes, this presents technology challenges. But at its core, this tends to be a human challenge. In my
experience, the most overlooked factors in IR are trust, relationships, and communication. Incident
response teams aren’t just lists of names in a plan; they’re people who need to work together under
extreme stress. The best way to build that capability is to invest in relationships before a crisis occurs.
Cyber Defense eMagazine – September 2025 Edition 334
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
