TL;DR: Cyber resilience fails or succeeds on people, process, and trust under pressure, according to Commvault’s STRIVE conversation with Dr. Jessica Barker. Clear decision ownership, preparation, and cross-team confidence matter more than tool choice when incidents force rapid coordination and imperfect information.
At a glance
What this is: This episode argues that cyber resilience is shaped by human decision-making, preparation, and trust as much as by technology.
Why it matters: It matters to IAM practitioners because identity, privilege, escalation, and recovery all depend on who can act, when they can act, and whether cross-team decisions are clear during incidents.
👉 Watch Commvault's STRIVE episode on the human side of cyber resilience
Context
Cyber resilience is often described as a tooling problem, but incident outcomes are usually determined by whether people can make and coordinate decisions under pressure. In practice, that means authority, communication, and preparation matter as much as architecture, especially when access decisions and recovery actions must happen quickly.
This is relevant to identity programmes because IAM, PAM, and NHI controls define who can do what during a disruption. When roles, escalation paths, and access boundaries are unclear, incident response slows and recovery becomes inconsistent. The article frames a human challenge, but the governance lesson is broader: resilience depends on decision rights as much as control design.
Key questions
Q: How should teams define decision ownership in cyber incident response?
A: Teams should assign named authority for containment, privileged access changes, and recovery actions before an incident happens. The aim is to remove ambiguity when time pressure is highest. Identity, PAM, and operations leaders should agree on who can approve emergency access, who can revoke it, and when escalation is mandatory so response does not stall.
Q: Why does preparation matter so much for resilience?
A: Preparation matters because stress reduces judgment quality and makes unfamiliar workflows slower. Tabletop exercises and simulations build muscle memory for the exact decisions teams need under pressure, including access revocation, escalation, and cross-team handoffs. Practitioners should measure whether teams can execute the workflow, not just whether the workflow exists.
Q: What do security teams get wrong about trust during incidents?
A: Teams often treat trust as a cultural concept rather than an operational enabler. In reality, trust determines whether information is shared quickly, whether decisions are accepted, and whether recovery actions can proceed without avoidable friction. Without it, even well-designed identity controls can be delayed or bypassed.
Q: Who is accountable when privileged access decisions fail during recovery?
A: Accountability should sit with the function that owns the decision path, not with whichever team happened to be online first. Incident governance should define who approves emergency privilege, who validates the business need, and who records the action for audit and post-incident review. Clear ownership reduces hesitation and preserves control.
Technical breakdown
Decision ownership in incident response
Decision ownership is the explicit assignment of authority for access changes, containment actions, and recovery steps during an incident. Without it, teams wait for approval, duplicate effort, or pass responsibility across functions. In identity-heavy environments, this affects who can revoke credentials, disable accounts, approve emergency access, or override normal workflows. The technical issue is not just process ambiguity. It is a control-plane problem where access governance and operational response are not aligned.
Practical implication: define incident-time authority for IAM, PAM, and NHI actions before an event forces teams to improvise.
Why preparation creates resilience under pressure
Preparation builds muscle memory for high-stress decisions. Tabletop exercises, simulations, and cross-functional drills reduce the cognitive load that appears when teams face incomplete information, conflicting priorities, and time pressure. This matters because resilience is rarely limited by a missing tool. It is more often limited by the team’s ability to recognise the situation, choose the right escalation path, and execute the correct identity or containment action without hesitation.
Practical implication: rehearse access revocation, emergency privilege use, and escalation handoffs as part of scenario testing.
Trust as an operational control
Trust between security, operations, infrastructure, and business teams functions like an operational control because it determines how quickly information moves and how readily people accept decisions. Where trust is weak, teams defend their own lanes, delay sharing evidence, and slow remediation. In identity governance terms, trust affects how quickly privileged actions are approved, how exceptions are handled, and whether recovery steps can proceed without friction. Culture does not replace controls, but it changes how effectively controls are used.
Practical implication: align incident playbooks with cross-team working agreements so identity actions can be executed without unnecessary friction.
NHI Mgmt Group analysis
Decision clarity is a resilience control, not a soft management issue. The article is right to stress that hesitation creates gaps, because incident response breaks down when no one knows who can approve revocation, escalation, or emergency access. In IAM and PAM programmes, those decision rights must be designed as part of control architecture, not left to informal coordination. Practitioners should treat authority mapping as a recoverability requirement.
Human confidence depends on repeated exposure to realistic scenarios. Teams do not improvise their best responses under pressure. They perform the responses they have already practised, which is why tabletop exercises and cross-functional simulations belong in resilience governance. For identity teams, that means testing access recovery, privileged override, and offboarding failure paths, not just authentication flows. Practitioners should measure readiness by execution quality, not attendance.
Trust between operational silos determines whether identity controls actually work during incidents. The article shows that security, infrastructure, and operations only become effective when they can share information and act quickly together. In identity governance, that translates into clean escalation paths, pre-approved emergency access boundaries, and shared language across teams. Practitioners should design for coordination, not just policy compliance.
Culture shapes the speed and consistency of access decisions. If security is perceived as a blocker, teams will route around controls during pressure events. If identity governance is embedded into business continuity thinking, controls are more likely to be used correctly when conditions deteriorate. This is where the intersection between resilience and IAM becomes practical: governance must support execution, not merely review it. Practitioners should align policy with operational reality.
What this signals
Decision rights should be treated as part of resilience architecture. For IAM and PAM programmes, the next maturity step is not adding more policy text, but proving that incident-time authority is explicit, rehearsed, and usable under pressure. That shift will matter most where access changes affect service continuity, emergency recovery, and offboarding.
Cross-team drills should now be read as control validation, not awareness activity. If a team cannot revoke access, approve emergency privilege, and coordinate escalation during a simulated event, then the identity governance model is not operationally ready.
Culture and control design are converging. The organisations that recover fastest are the ones that embed identity decisions into continuity planning, so access governance supports action instead of slowing it down.
For practitioners
- Define incident-time decision ownership Document who can revoke credentials, approve emergency elevation, and trigger containment actions during outages or security events. Make those decisions explicit in the incident runbook and align them with IAM, PAM, and operational roles.
- Exercise identity recovery paths Run simulations that force teams to handle account lockouts, privileged access failures, and emergency access approvals under time pressure. Measure whether teams can complete the identity actions without waiting for ad hoc escalation.
- Pre-approve cross-team escalation routes Map the handoffs between security, infrastructure, operations, and business leadership so escalation does not stall when one team is unavailable. Keep the route simple enough that it still works during a major incident.
- Test trust-dependent workflows Validate whether incident workflows still function when teams must share evidence, approve access changes, and coordinate recovery across organisational boundaries. Where friction appears, simplify the process rather than assuming people will compensate.
Key takeaways
- Cyber resilience depends on whether people can make clear decisions quickly when normal processes are under stress.
- Prepared teams recover faster because rehearsal reduces hesitation, confusion, and unnecessary escalation during incidents.
- IAM and PAM controls only support resilience when decision ownership, trust, and escalation paths are designed to work together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RR-01 | Resilience depends on clear roles and responsibilities during incidents. |
| NIST SP 800-53 Rev 5 | IR-4 | Incident handling requires defined response actions and escalation paths. |
| ISO/IEC 27001:2022 | A.5.24 | Information security incident management requires coordinated response processes. |
| CIS Controls v8 | CIS-17 , Incident Response Management | The article is fundamentally about how teams behave during incidents. |
Use A.5.24 to verify that identity-related incident roles, routes, and evidence handling are documented and tested.
Key terms
- Decision Ownership: Decision ownership is the assignment of clear authority for a specific action during an incident, such as revoking access, approving emergency privilege, or escalating a problem. It removes hesitation by making accountability explicit before pressure rises and conditions become ambiguous.
- Incident Readiness: Incident readiness is the ability of a team to execute response actions consistently under pressure. It depends on preparation, rehearsal, role clarity, and coordination, not just on having written procedures. For identity programmes, readiness includes testing access recovery and privilege changes.
- Operational Trust: Operational trust is the confidence that teams will share information, accept decisions, and coordinate actions quickly enough to support response and recovery. It is not a soft cultural slogan. In practice, it determines whether governance controls can be used efficiently during a real incident.
What's in the full article
Commvault's full STRIVE episode covers the practical detail this post intentionally leaves for the source:
- The full discussion of how Dr. Jessica Barker frames confidence, trust, and decision-making under pressure.
- Examples of how culture affects incident response behaviour in real organisations.
- The episode's broader framing of resilience as a human and organisational issue, not just a technical one.
- The complete set of STRIVE discussion points on preparation, ownership, and team coordination.
👉 The full Commvault episode covers decision-making, trust, and preparation in more depth.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, IAM, secrets management, and workload identity. It is designed for practitioners who need stronger identity control across operational and recovery workflows.
Published by the NHIMG editorial team on 2026-06-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org