Rethinking Cyber Crisis Management for Business Leaders

Most companies have a breach response plan tucked away somewhere. A PDF gathering dust. A phone tree from five years ago. A few bullet points in the incident playbook that say, more or less, “Let’s hope it doesn’t happen.”

But as the scale, speed and impact of cyber attacks continues to grow, the businesses that come through them strongest aren’t the ones with the best defences. They’re the ones who know how to manage a crisis when everything starts going wrong, because they’ve prepared not just to detect, but to lead when it matters most.

Having worked with companies across multiple sectors, and having seen both calm and chaos up close, we’ve come to believe that crisis management is a business discipline in its own right, not just an IT function, not just a PR exercise, and certainly not just a compliance tick-box.

So what does good cyber crisis management look like in practice? And how should business leaders think about getting it right?

You Can’t Lead in a Fog Without a Map

When a serious cyber incident occurs, let’s say a ransomware attack that takes core systems offline, there’s an immediate fog. Communication is broken, the facts are unclear, and people aren’t sure who should be doing what. In that moment, leadership either takes shape, or it collapses.

The best-prepared companies don’t wait until the fog hits. They’ve mapped out what the first 15 minutes, the first hour, the first day looks like. Who speaks to whom. What systems get prioritised. What authority is delegated. What’s communicated to customers, and what isn’t.

One business I worked with in the financial services sector ran a full-day exercise every year where senior executives were forced to make decisions in a timed, simulated cyber attack. What stood out wasn’t the technical complexity. It was the friction between teams that had never really had to collaborate under pressure before: legal, marketing, ops, and the board. But after two years of doing it, they went from hesitant and reactive to calm, decisive and aligned.

You can’t rely on instinct when you’ve lost visibility. You need structure. That starts well before the incident ever hits.

Crisis Management Is Not Just Incident Response

It’s easy to assume that if you’ve got a good technical incident response plan, you’re covered. But cyber crisis management goes far beyond restoring systems or blocking malware.

A true crisis has organisational consequences. You may have to shut down operations. You may need to communicate with thousands of affected customers or suppliers. There might be legal obligations, regulatory scrutiny, reputational damage and media pressure, all unfolding in parallel.

That means the response must go far beyond the SOC or IT security team. Leadership needs to be integrated. Decisions around business continuity, public messaging, legal risk and internal coordination can’t be improvised.

The organisations that handle this well tend to have a dedicated crisis coordination function, not a full-time job necessarily, but a structure that is activated in a crisis. It usually includes a clearly identified leader (often not the CISO), empowered to pull in the right people and make time-sensitive decisions across business domains.

The Role of People: Trust and Clarity Matter Most

You can buy tools. You can build playbooks. But when the pressure is on, it’s people that determine whether you respond effectively or spiral into confusion.

The most critical aspect of human readiness isn’t technical skill, it’s clarity and trust. People need to know:

  • What their role is
  • What they’re authorised to decide
  • Who they can escalate to
  • What happens next

That’s what removes hesitation and rework.

In a crisis situation I observed at a manufacturing company, the incident spiralled because four different team leads were afraid to shut down a key system, and each assumed the others had the authority to do it. By the time they escalated the decision, the malware had moved laterally and the cost of recovery had tripled.

In contrast, another firm had role cards, decision trees and a clear chain of authority. The moment an alert reached a threshold, predefined triggers kicked in – not just technically, but operationally. Teams knew what to do, and more importantly, knew that they were allowed to do it.

If you’ve never talked about who gets to make uncomfortable decisions under stress, chances are no one will step forward when it’s time.

The Myth of the Single Scenario

One of the quiet dangers in cyber crisis preparation is over-focusing on a specific scenario, for example, simulating a ransomware attack every time. It gives a comforting illusion of readiness.

But real-world crises are unpredictable. They often involve overlapping problems: data theft, service disruption, reputational damage and compliance failures all at once.

The point of crisis exercises isn’t to perfectly mirror the next attack. It’s to stress-test your organisation’s ability to handle disruption under ambiguity.

That includes testing communications (how quickly do you get key messages to your stakeholders?), testing decision speed (how long does it take to authorise a shutdown or announce a breach?), and testing resilience (how well does your backup plan actually work in practice?).

Some of the best-run simulations I’ve seen have deliberately introduced unexpected twists halfway through: a key team member becoming unavailable, a media leak, or a sudden demand from the board. Because real crises rarely go to plan.

You Won’t Fix Culture in the Middle of a Crisis

If your teams don’t trust each other during normal operations, they won’t magically start collaborating during a breach.

That’s why cyber crisis management isn’t just a procedural issue, it’s cultural. Organisations that value openness, cross-functional cooperation, and psychological safety are far more likely to respond well under pressure.

In one firm we worked with, a frontline SOC analyst spotted signs of compromise but didn’t escalate for several hours. Not because he didn’t understand the risk, but because he’d previously been shut down when raising “false positives.” In another, a junior engineer stepped up and led a key recovery process because the culture allowed initiative, and the business bounced back faster than expected.

So if you want to know how your organisation will respond in a cyber crisis, ask yourself this: do your people feel safe raising the alarm?

What You Can Do Tomorrow

Crisis management isn’t something you fix overnight. But you can start improving tomorrow.

Talk to your exec team about who really makes decisions when a crisis hits. Look at your last serious incident (technical or not) and ask what would have gone differently with better coordination. Run a mini-tabletop scenario with two or three teams. Don’t make it perfect, make it real.

If you’re in the boardroom, ask how regularly the company rehearses cross-team cyber incident scenarios. If you’re in the tech function, make sure you know what the legal and communications teams expect in a breach. If you’re somewhere in the middle, find the gaps and start bridging them.

Final Thought

Cyber resilience is often talked about in terms of infrastructure and defences. But real resilience lives in how your organisation behaves when it’s blindsided, under pressure, and in the spotlight.

That’s when leadership is tested. That’s when your culture is revealed. And that’s when preparation, or the lack of it, shows up in every decision you make.

Because when a crisis hits, you’re not buying time. You’re spending trust.

So spend it wisely. And prepare now.