Incident Response: The Plan Must Work Before the Incident Happens

Incident response is one of the clearest indicators of cybersecurity maturity. The question is not whether an organisation has a document called an incident response plan. The question is whether the organisation can execute it under pressure.

During a cyber incident, time compresses. Technical teams investigate, legal teams assess notification obligations, executives need decisions, communications teams prepare messaging, regulators may need to be informed, customers may be affected, and business teams want services restored.

A strong incident response capability defines roles, escalation paths, decision rights, severity levels, communication channels, evidence handling, external support, and recovery coordination. It should also be integrated with business continuity, disaster recovery, cyber insurance, legal privilege, and crisis communications.

Testing is essential. Tabletop exercises, technical simulations, ransomware scenarios, supplier outage exercises, and executive crisis rehearsals expose gaps before a real incident does.

The most common weaknesses are unclear ownership, slow escalation, poor logging, untested backups, inadequate communication, and uncertainty over regulatory reporting timelines.

Incident response should be treated as an operational capability, not a compliance document.

Key message: The middle of a cyber incident is the worst time to discover that nobody knows who is in charge.