Courtney Guss | Director of Crisis Management

Effective cyber crisis management is not defined by documents or maturity models. It is defined by how an organization behaves in the first hours of a real incident—and what it uses to support those efforts.

In this blog series, we’ve been exploring why cyber crisis management so often breaks down when it matters most.

In Rethinking Cyber Crisis Management: Why Plans Fail—and What to Build Instead, we examined how plans fail when decision making collapses under real world pressure—not because teams are unprepared but because when events move faster than the script, authority, priorities, and accountability become unclear.

In The Missing Layer in Cyber Incident Response: Crisis Orchestration, we explored what happens next. Even when organizations know what they should do, they struggle to execute. Communication fragments. Ownership blurs. Information lives in too many places. And without a way to coordinate action in real time, response efforts begin to unravel.

At this point, the problems are clear. Now the question is: How can organizations fix those problems in meaningful, practical ways?

What does good cyber crisis management actually look like when plans give way to pressure, decisions must be made with incomplete information, and coordination determines outcomes?

Answering that question doesn’t start with another framework or checklist. It starts with a clear picture of the behaviors, structures, and capabilities that define a well-managed cyber crisis today.


What does good cyber crisis management look like in a real incident?

Despite more efforts to prepare for cyber incidents, many organizations are still blindsided by the reality of cyber crisis management.

Figure 1. Semperis research shows a significant gap between perceived preparation and outcomes when a real incident hits. (Source: The State of Enterprise Cyber Crisis Readiness)

That doesn’t mean those organizations are wrong to prepare. Effective cyber crisis management does not mean abandoning planning, readiness, or tabletop exercises. In fact, organizations that manage incidents well are almost always the ones that invest in those efforts.

Plans, runbooks, and simulations matter. They establish shared understanding, reveal and challenge assumptions, and enable teams to think through scenarios before the pressure is real.

The issue is not that organizations don’t practice or plan—it’s that too often, those plans are built and tested in ways that don’t translate to the first critical hours of a live incident. Many preparedness efforts focus on Plan A without considering what happens when that plan fails. When the expected path breaks down, do teams know how to adapt?

  • Is there a Plan B—or Plan C—to fall back on?
  • Is everyone on board with what matters most?
  • Who has the authority to make critical decisions in real time?

Be ready to pivot the crisis management script

When a real cyber crisis unfolds, events rarely follow the script. Information is incomplete. Priorities collide. New risks emerge by the minute. At that point, the value of preparedness is no longer measured by how closely teams follow a document but by how effectively they can apply the intent of the plan under pressure.

When teams manage a crisis well, a few things immediately become apparent—even to those outside the response:

  • Decisions are made without prolonged debate over authority
  • Actions move forward without confusion over ownership
  • Leaders can see what is happening without chasing updates
  • The organization maintains control, even as conditions change

This does not happen because the situation is simple.

It happens because preparation is designed in a way that holds up when reality diverges from expectation.


At its core, good cyber crisis management is the ability to translate preparedness into coordinated action—aligning leadership judgment with execution in real time, while preserving visibility, accountability, and defensibility throughout the response.

That alignment is what counts most in the first hours of a crisis.


In poorly managed incidents, teams are often busy but loosely aligned. Communication is constant yet fragmented. Decisions stall or are revisited because authority is unclear or context is missing. Leaders rely on summaries rather than shared visibility, slowing response when time matters most.

In well-managed incidents, the opposite is true.

  • The organization moves deliberately.
  • The right people engage early.
  • Decision authority is understood and exercised.
  • Information flows through a shared operational picture.
  • Execution adapts as the situation evolves without losing coherence or momentum.

And importantly, success is not defined by perfection.

Every crisis involves uncertainty and the ability to revisit decisions as new information emerges. What defines good crisis management is not getting everything right the first time—it is maintaining the ability to act, adjust, and defend decisions as the situation unfolds.

That capability does not come from planning alone. It comes from preparing the organization to operate when plans meet reality.


Align on what matters most: The North Star for crisis decision-making

Before authority can be exercised effectively—and before execution can move at speed—there must be alignment on something more fundamental: what matters most when tradeoffs become unavoidable.

In every cyber crisis, organizations face decisions that cannot be solved with technical precision alone.

  • Systems can’t all be restored at once.
  • Risks can’t all be eliminated simultaneously.
  • Information arrives unevenly.
  • Time is limited.

In those moments, the question is not simply who has the authority to decide — it is what those decisions should optimize for.


Organizations that struggle during crises often lack this alignment. Teams operate according to different, sometimes competing priorities:

  • Security focuses on containment.
  • IT focuses on restoration.
  • Legal focuses on exposure.
  • Business leaders focus on continuity.
  • Communications focuses on reputation.

These perspectives aren’t wrong. But without a shared North Star, they compete rather than converge.

Organizations that manage cyber crises well invest time upfront aligning on what matters most when pressure is highest. That alignment might center on protecting patient safety, preserving customer trust, maintaining critical operations, meeting regulatory timelines, or minimizing long-term reputational damage.

The specific priorities differ by organization. What matters is that they are understood, agreed upon, and operationalized before a crisis begins.

When this alignment exists, decision-making becomes clearer—even when events don’t follow the plan. Leaders can improvise without drifting. Teams can adapt without fragmenting. Decisions made in moments of uncertainty remain aligned with the organization’s values and obligations.

This is where many traditional preparedness efforts fall short. Tabletop exercises often focus on scenario-specific actions rather than priority-driven tradeoffs. Plans outline steps, but not the business intent behind them. When reality diverges from expectations, teams lose their bearings—not because they don’t know what to do, but because they’re unsure what they’re optimizing for.

Alignment changes that.

  • When priorities are clear, authority can be exercised decisively.
  • When priorities are shared, execution becomes faster and more consistent.
  • When priorities are visible, coordination improves even as conditions evolve.

That alignment must live in the same operational environment as decision-making and execution. If priorities exist only in policy documents or slide decks, they disappear under pressure. When they are embedded into how crises are managed—reflected in task prioritization, decision rationale, and leadership visibility—they continue to guide behavior when improvisation is required.


Orchestration plays a critical role here.

Platforms like Ready1 don’t just help teams coordinate actions; they help organizations anchor response activities to agreed priorities in real time. By making decisions, actions, and context visible in one place, orchestration ensures that improvisation remains aligned rather than scattered.

In a cyber crisis, alignment is what allows authority to function and execution to follow. Without it, even clearly defined roles and rapid communication can pull teams in different directions. With it, the organization can move forward together, guided by a shared understanding of what truly matters when it matters most.


Pre-determine authority so that decisions don’t stall

Unclear authority and fragmented communication cause decisions to stall or splinter under pressure. By the time consensus is reached, opportunities are lost, risks increase, and confidence erodes.

In a well-managed crisis, decision authority is not discovered mid-incident. It has been exercised before, understood across teams, and reinforced through preparation that mirrors real conditions.

That does not mean leaders pre-decide every outcome. It means the organization has agreed in advance on who decides, what matters, what tradeoffs they are empowered to make, and how those decisions are communicated and executed once made.


One of the clearest signals of a well-managed cyber crisis is how quickly the organization can make—and stand behind—decisions while the situation is still unfolding.


When authority is prepared properly:

  • Teams escalate decisions instead of debating ownership
  • Leaders decide with confidence rather than hesitation
  • Execution moves forward without waiting for informal approvals
  • Decisions are documented naturally as part of the response

Many organizations misunderstand the role of preparedness here. Tabletop exercises often focus on what decision should be made, but rarely test how that decision is made, communicated, assigned, and tracked once pressure is real.

That distinction is a game changer.

During live incidents, the challenge is not identifying the “right” decision. It is ensuring the decision becomes action—quickly, visibly, and consistently across the organization.

This translation from decision to execution is where orchestration becomes essential.

Without orchestration, even well-defined authority degrades in practice. Decisions are shared verbally, buried in chats, or passed along inconsistently. Tasks are assumed rather than assigned. Leaders believe action is underway while teams wait for clarification.

With orchestration in place, authority is reinforced through structure:

  • Decisions are captured as they are made
  • Ownership is assigned immediately and explicitly
  • Execution is visible to leadership in real time
  • Blockers surface early rather than after delays

The result is not speed for its own sake, but decisions that hold because they are executed as intended.

This is what allows the first hours of a cyber crisis to count—not because everyone moves faster, but because everyone moves together, guided by clear authority and a shared operational picture.


Rethinking preparedness for the reality of cyber crisis management

Throughout this series, I’ve argued that cyber crisis management often fails when reality diverges from expectation. But the answer is not to plan less — it is to prepare differently.

Organizations that manage crises well are not the ones with the most playbooks or the most detailed response trees. They are the ones that focus preparedness on what matters most when plans break—because they know they will.

Meaningful preparedness accepts that improvisation is inevitable and prepares the organization to improvise well.

That means resisting the urge to overengineer playbooks, instead focusing on the scenarios that truly threaten the business: customers, patients, safety, operations, regulatory obligations, and trust.

It also means preparing around decision-making, not just technical steps.

  • Who decides when tradeoffs are unavoidable?
  • What authority do they have in the moment?
  • What priorities guide decisions when information is incomplete and time is short?

When organizations align on these questions in advance, improvisation becomes disciplined rather than chaotic. Decisions evolve, but they remain anchored to shared values and responsibilities.

Preparedness must also be exercised differently.

The most valuable exercises are not the ones where everything goes as planned, but the ones where assumptions fail—where information is missing, systems behave unexpectedly, and teams must adapt in real time.

This is where orchestration becomes essential.

Today’s cyber incidents are not just technical events—they are business crises that demand leadership judgment, cross-functional coordination, and accountability in real time.

Organizations that rethink preparedness—focusing less on perfect scripts and more on aligned improvisation—are better positioned to meet that reality.

They don’t just respond faster.
They respond with intent.

And when the next crisis arrives, they don’t just react. They manage it.


Read more about rethinking crisis management and cyber resilience