Cybersecurity Incident Response Needs A War Room, Not A Playbook

When Kevin Mandia got the call in 2020 that his cybersecurity company Mandiant (then a division of FireEye) had been breached, the details raised alarms immediately. “It smelled like the SVR to me right out of the gates,” he said, referring to Russia’s foreign intelligence service. “They had a smart way of getting past our two-factor authentication and were targeting us in a way that showed professionalism.” Instead of grabbing everything they could, the intruders selectively searched and minimized what they took – a telltale sign of a cunning foreign intelligence operation.

It was the start of what became SolarWinds cyberattack, which ultimately impacted over 18,000 organizations. But for Mandia, who has been responding to breaches since the 1990s, the real lesson wasn’t just about attribution. It was about preparedness. Most companies, he said, respond to incidents with improvised command centers and ad hoc decision-making. In an era of escalating regulatory pressure and reputational risk, that’s no longer enough. Cybersecurity incident response requires speed, structure and coordination across legal, technical and executive teams, a structure that is more effectively built before a crisis, not during.

Static Plans vs. Dynamic Cybersecurity Incident Response

Andy Lunsford, CEO of cybersecurity incident response company BreachRx saw the same shortcomings from a different vantage point. After years litigating privacy and commercial cases, he observed a troubling pattern: attackers often operate with more discipline and coordination than the organizations they target. “You can defend 99,000 attacks,” he said. “They just have to get in one time to take you down.”

According to Lunsford, most companies still approach incident response reactively. “They’ve got the people they want to call,” he said, “but they don’t necessarily have a systematic approach.” That lack of structure becomes a liability when companies must manage not just the breach itself but the fallout: regulatory disclosures, legal exposure, customer notifications and board communication. “The ramifications within the business, including regulators and auditors, can be a lot more complicated” than addressing the breach itself, Lunsford said.

Real-World Cybersecurity Incident Response Beats Tabletop Exercises

Traditional tabletop exercises don’t cut it, according to both leaders. “They’re a thought exercise in a room,” said Lunsford. “But that’s not how you’re going to execute the real incident. People are going to be scattered. Some won’t be available.” Instead, he advocates for role-based training that mimics real-world complexity, where responses unfold over time, across functions, and under pressure.

Mandia, who serves on the board of BreachRx and whose company is now part of Google Cloud, said one of the most overlooked failures is how few companies have clarified what kinds of incidents should be elevated to the CEO or board. “You’d be shocked how often those answers are vague or inconsistent,” he said. Mandia didn’t learn that his cybersecurity incident response team was responding to his own breach until four or five days in, because the internal bar for elevation had been set so high and the team was more focused on response than communication.

A Dynamic Cybersecurity Incident Response Strategy

Conventional breach response plans often consist of static documents stored in compliance binders. By contrast, BreachRx automates tailored action steps based on the nature and jurisdiction of the incident, coordinates communication across legal, risk and executive leadership, and provides an out-of-band, privileged communication environment that would otherwise be discoverable in legal cases. This matters not just for operational efficiency, but for protecting the company – and its executives – from regulatory penalties and litigation. The approach prevents silos within technical teams and provides real-time communication with boards, security, risk and legal counsel. With over 200 global regulations, tighter timelines, and increasing personal liability, cybersecurity incident response is now a governance issue and a strategic imperative.

Cybersecurity Incident Response Is Now a Leadership Imperative

The evolution from seeing breaches as rare “black swan” events to treating them as inevitable business risks is long overdue. “All companies have incidents happen all the time,” Lunsford said. “It’s just a normal part of operating a business in the modern era.” That makes it imperative for executives to get ahead of the crisis rather than wait until it unfolds.

Mandia emphasized that when breaches happen, CEOs aren’t just thinking about compliance. “They’re thinking, how do I maintain trust in my business? How do I get up and running?” The ability to respond quickly, with coordination and confidence, is what separates a stumble from a scandal.

“Many incidents have unique aspects to them and there’s nothing wrong with a certain level of ad hoc decision-making to manage the uniqueness,” Mandia said. “But anything that clarifies that process systematically and ensures consistency is critical. Every hour counts.”

From Defense to Discipline

There’s a saying in the military: you don’t rise to the occasion – you fall to your level of training. The same applies to cybersecurity incident response. In today’s threat environment, the companies that succeed won’t be the ones with the longest policies or the biggest budgets. They’ll be the ones who rehearse regularly under realistic conditions, coordinate across departments and treat cybersecurity not as a tech issue, but as a leadership discipline.

Did you enjoy this story on cybersecurity incident response? Don’t miss my next one: se the blue “follow” button at the top of the article near my byline to follow my work, and check out my other columns here.