Many companies fail at cybersecurity incident response. Here’s how leaders can prepare better, respond faster and protect trust when every hour - and decision - counts.
had been breached, the details raised alarms immediately. “It smelled like the SVR to me right out of the gates,” he said, referring to Russia’s foreign intelligence service. “They had a smart way of getting past our two-factor authentication and were targeting us in a way that showed professionalism.
” Instead of grabbing everything they could, the intruders selectively searched and minimized what they took – a telltale sign of a cunning foreign intelligence operation.SolarWinds cyberattack , which ultimately impacted over 18,000 organizations. But for Mandia, who has been responding to breaches since the 1990s, the real lesson wasn’t just about attribution. It was about preparedness. Most companies, he said, respond to incidents with improvised command centers and ad hoc decision-making. In an era of escalating regulatory pressure and reputational risk, that’s no longer enough. Cybersecurity incident response requires speed, structure and coordination across legal, technical and executive teams, a structure that is more effectively built before a crisis, not during.Andy Lunsford, CEO of cybersecurity incident response companysaw the same shortcomings from a different vantage point. After years litigating privacy and commercial cases, he observed a troubling pattern: attackers often operate with more discipline and coordination than the organizations they target. “You can defend 99,000 attacks,” he said. “They just have to get in one time to take you down.”According to Lunsford, most companies still approach incident response reactively. “They’ve got the people they want to call,” he said, “but they don’t necessarily have a systematic approach.” That lack of structure becomes a liability when companies must manage not just the breach itself but the fallout: regulatory disclosures, legal exposure, customer notifications and board communication. “The ramifications within the business, including regulators and auditors, can be a lot more complicated” than addressing the breach itself, Lunsford said.Traditional tabletop exercises don’t cut it, according to both leaders. “They’re a thought exercise in a room,” said Lunsford. “But that’s not how you’re going to execute the real incident. People are going to be scattered. Some won’t be available.” Instead, he advocates for role-based training that mimics real-world complexity, where responses unfold over time, across functions, and under pressure. Mandia, who serves on the board of BreachRx and whose company is now part of Google Cloud, said one of the most overlooked failures is how few companies have clarified what kinds of incidents should be elevated to the CEO or board. “You’d be shocked how often those answers are vague or inconsistent,” he said. Mandia didn’t learn that his cybersecurity incident response team was responding to his own breach until four or five days in, because the internal bar for elevation had been set so high and the team was more focused on response than communication.Conventional breach response plans often consist of static documents stored in compliance binders. By contrast, BreachRx automates tailored action steps based on the nature and jurisdiction of the incident, coordinates communication across legal, risk and executive leadership, and provides an out-of-band, privileged communication environment that would otherwise be discoverable in legal cases. This matters not just for operational efficiency, but for protecting the company – and its executives – from regulatory penalties and litigation. The approach prevents silos within technical teams and provides real-time communication with boards, security, risk and legal counsel. With over 200 global regulations, tighter timelines, and increasing personal liability, cybersecurity incident response is now a governance issue and a strategic imperative.The evolution from seeing breaches as rare “black swan” events to treating them as inevitable business risks is long overdue. “All companies have incidents happen all the time,” Lunsford said. “It’s just a normal part of operating a business in the modern era.” That makes it imperative for executives to get ahead of the crisis rather than wait until it unfolds. Mandia emphasized that when breaches happen, CEOs aren’t just thinking about compliance. “They’re thinking, how do I maintain trust in my business? How do I get up and running?” The ability to respond quickly, with coordination and confidence, is what separates a stumble from a scandal. “Many incidents have unique aspects to them and there’s nothing wrong with a certain level of ad hoc decision-making to manage the uniqueness,” Mandia said. “But anything that clarifies that process systematically and ensures consistency is critical. Every hour counts.”There’s a saying in the military: you don’t rise to the occasion – you fall to your level of training. The same applies to cybersecurity incident response. In today’s threat environment, the companies that succeed won’t be the ones with the longest policies or the biggest budgets. They’ll be the ones who rehearse regularly under realistic conditions, coordinate across departments and treat cybersecurity not as a tech issue, but as a leadership discipline. Did you enjoy this story on cybersecurity incident response? Don’t miss my next one: se the blue “follow” button at the top of the article near my byline to follow my work, and check out my other columns
Innovation Leadership Leadership Strategies Solar Winds Breach Colonial Pipeline Breach Mandiant Fireeye Breachrx Cyberdefense
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Suspect in shooting of north Alabama police officer in custodyThe incident after the Scottsboro Police Department responded to calls about a domestic incident.
Read more »
Palo Alto Networks stock falls after announcing $25 billion Cyberark dealPalo Alto Networks will takeover Israeli cybersecurity provider CyberArk in a deal valued at $25 billion.
Read more »
Army secretary directs West Point to rescind appointment of Biden-era cybersecurity directorThe Secretary of the Army has directed the U.S. Military Academy at West Point to review its hiring practices and rescind the appointment of a newly announced hire who led the nation's cybersecurity agency under President Joe Biden.
Read more »
Army halts West Point hire of Biden's cybersecurity chiefThe Secretary of the Army has directed the U.S. Military Academy at West Point to review its hiring practices and rescind the appointment of a newly announced hire who led the nation's cybersecurity agency under President Joe Biden.
Read more »
The Growing Impact Of AI And Quantum On CybersecurityThe transformative effects of artificial intelligence and quantum computing will be hugely impactful on cybersecurity
Read more »
Less staff, even less trust: Some states say they can't rely on Trump's DHS for election securityKevin Collier is a reporter covering cybersecurity, privacy and technology policy for NBC News.
Read more »