Incident Response: What Executives Need to Know

When a security incident occurs, executives must make critical decisions quickly. Preparation is key, and I have seen the difference play out dozens of times. The prepared organizations contain the damage and recover within days. The unprepared ones panic, make impulsive decisions that worsen the situation, and suffer consequences lasting months or years. I have been called in during active breaches where the CEO was making technical decisions they did not understand, the legal team was drafting notifications before the scope was known, and IT was destroying forensic evidence by reimaging compromised systems. Every one of those mistakes was avoidable.

Executive Role in Incidents

Executives have specific responsibilities during a security incident that cannot be delegated.

• Resource authorization - The incident response team needs authority to pull people from other projects, engage external forensic experts, and take systems offline. I recommend pre-authorizing an incident response budget so the team does not waste critical hours seeking approval.
• Communication decisions - Who needs to be informed, when, and how? The wrong communication at the wrong time can cause more damage than the incident itself.
• Business continuity trade-offs - Containing an incident often requires taking systems offline. Executives must balance containment speed against business impact, understanding that delays typically increase total cost.
• Legal and regulatory compliance - Under GDPR, organizations must notify supervisory authorities within 72 hours of becoming aware of a personal data breach. NIS2 adds additional requirements. Executives must ensure compliance timelines are met.

Key Questions to Ask

During an incident, executives should ask structured questions to understand the situation without micromanaging the technical response.

• What is confirmed vs suspected? - Early in an incident, most information is uncertain. I have seen companies shut down entire data centers based on suspicions that turned out to be false alarms.
• What data and systems are affected? - The blast radius determines notification obligations, customer impact, and recovery complexity.
• Is the threat contained? - Containment must be confirmed before recovery begins, otherwise you risk the attacker re-establishing access during recovery.
• What are our notification obligations? - Based on data affected and jurisdictions involved, what are the legal requirements? Pre-identifying these for different scenarios saves critical time.

Communication Strategy

Every message should be reviewed by legal, approved by an executive, and delivered through agreed-upon channels.

• Internal - Keep staff informed without creating unnecessary alarm. Employees who do not know what is happening will speculate and potentially share incorrect information externally.
• External - Customers, partners, and regulators each need different messages. Customer communications should focus on what happened, what data was affected, and what they should do.
• Media - Prepare statements in advance and designate a single spokesperson. Never speculate, never blame, and never minimize. I have seen organizations survive serious breaches with reputation intact because they communicated transparently.

Post-Incident Activities

What happens after the incident is just as important as the response itself.

• Root cause analysis - Understand not just what happened, but why it was possible. I participate in these reviews for my clients and contribute the attacker's perspective.
• Lessons learned - Document what worked and what did not. Capture these within two weeks while memories are fresh.
• Control improvements - Translate lessons into specific, funded improvements with assigned owners and deadlines.
• Board reporting - Prepare a comprehensive incident report covering what happened, the response, business impact, and improvements being implemented.

Tabletop Exercises

The single most effective preparation is practice. I facilitate tabletop exercises where leadership teams walk through realistic breach scenarios. These consistently reveal gaps in plans, unclear authorities, and communication breakdowns that are far better discovered in a conference room than during a real crisis. I recommend conducting these at least twice a year with varying scenarios.

Choosing External Partners

Every organization should have relationships with external incident response partners established before an incident occurs. Trying to find forensic firms, specialized legal counsel, and crisis communication experts during an active incident is extremely difficult and expensive. Establish retainer agreements and include these partners in tabletop exercises so everyone knows their role when an incident occurs.