Why Incident Response Plans Fail Under Pressure

Cyber Resilience
Written By Shane Bell

Source: NSB Cyber

 

On paper, most organisations have an Incident Response Plan (IRP). Acting both as consultants and first line incident responders, we’ve seen many of them. They are usually neatly documented, outlining escalation paths, communication steps, and decision-making processes.

Yet, when an actual incident occurs, we often see these plans fail to hold up under pressure. The issue is rarely that there is no plan, but that the plan was never tested against the reality of a cyber incident.

The Gap Between Theory and Reality

In our view, the biggest challenge is that many IRPs are written for a controlled environment. They assume information will be complete, roles will be clear, and decisions will flow in a logical order. In reality, incidents are messy. Facts change rapidly, communications overlap, and stakeholders - including regulators, clients, and the media - expect answers long before the full picture is clear.

Under those conditions, a plan that looks sound on paper can quickly become irrelevant. 

Simulation Exercises: The Key to Preparedness

This is where simulation exercises become critical. Table-top scenarios can help expose weaknesses that would otherwise remain hidden until it is too late.

In our experience, common issues consistently emerge:

  • Over-reliance on a single decision-maker

  • Unclear lines of accountability

  • Gaps between technical and business teams

  • Delays in escalating to senior leadership

Without identifying these gaps ahead of time, the first real test of the plan becomes the live incident itself.

Leadership Matters

Boards and Executives play a pivotal role in simulations, their participation:

  • Provides visibility of the complexity teams face

  • Strengthens alignment between technical teams and leadership

  • Ensures cyber obligations are treated with the same weight as financial or operational ones

  • Bring organisational context (growth strategies, regulatory obligations, risk appetite) that technical teams may not fully see

Documenting Lessons for a Defensible Position

Equally important is how the organisation demonstrates that lessons have been acted upon. In our expert witness work, we have seen organisations criticised not simply because their IRP failed, but because they could not show a process of continuous improvement.

Regulators look for evidence that simulations were conducted, that shortcomings were identified, and that the plan was updated as a result.

Documenting this cycle builds a defensible position: it shows that incident preparedness is being managed consciously and proportionately.

The Benefits of a Tested IRP

The outcome of this approach is twofold. First, the organisation is better prepared to respond effectively during a real incident, reducing the likelihood of avoidable missteps that can compound the damage. Second, it provides ongoing assurance that obligations have been approached reasonably, with evidence to support decisions if they are ever tested by a regulator or external stakeholders. 

Our Advice

We have seen first-hand what happens when incident response plans are left untested until the moment of crisis.

Our advice? Do not wait until you are in the middle of a breach to find out whether your plan works. Test it, refine it, and create confidence before you need it most. 

Build lasting cyber resilience. Book your meeting with NSB Cyber today.

Shane Bell
Previous

Retained Resilience: Why Ongoing Support is the Key to a Sustainable Cyber Program
Next

Defining “Reasonable”: Lessons from the Frontline of 921A Compliance