Notifications
Clear all
Topic starter
06/06/2026 11:18 am
TL;DR: Many organizations still measure cyber crisis readiness by the presence of plans, playbooks, and tabletop exercises, yet Semperis argues those artefacts fail when real incidents demand prioritisation, escalation, and cross-functional decisions under pressure. The deeper problem is not documentation volume but decision authority and business alignment, because scripted response cannot cover cascading complexity.
NHIMG editorial — based on content published by Semperis: cyber crisis readiness, decision paralysis, and the North Star model
By the numbers:
- 90% of organizations face significant blockers to effective cyber incident response.
Questions worth separating out
Q: How should security teams prepare for cyber crisis decisions when the playbook breaks down?
A: Security teams should prepare by pre-defining decision rights, escalation paths, and business priorities before the incident begins.
Q: Why do incident response plans often fail during real cyber crises?
A: Incident response plans often fail because they assume the crisis will follow a known sequence.
Q: How do you know if crisis tabletop exercises are actually working?
A: They are working only if they expose uncertainty, conflicting priorities, and decision bottlenecks.
Practitioner guidance
- Map crisis decision rights Define who can declare a crisis, approve customer communications, authorize shutdowns, and choose recovery order before the next event starts.
- Separate runbooks from playbooks Use runbooks for technical execution and playbooks for coordination, escalation, and business decision points.
- Test decision paralysis in tabletops Design exercises around conflicting information, cascading impacts, and executive tradeoffs.
What's in the full article
Semperis' full article covers the operational detail this post intentionally leaves for the source:
- The specific gaps Semperis observed in communication and coordination during cyber crises.
- The article's breakdown of how leaders should think about decision ownership under pressure.
- The distinction Semperis draws between runbooks, playbooks, and true crisis decision frameworks.
- The North Star framing used to align business priorities during incident recovery.
👉 Read Semperis' analysis of cyber crisis readiness and decision authority →
Cyber crisis playbooks are failing teams on decision authority?
Explore further
06/06/2026 12:01 pm
Cyber crisis readiness is a decision-governance problem, not a documentation problem. The article correctly rejects the idea that having a plan is the same as being prepared. In practice, many programmes optimize for audit evidence rather than operational authority, which creates a false sense of control. The practitioner conclusion is simple: if decision rights are unclear, response maturity is overstated.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who should own crisis recovery decisions in an organization?
A: Crisis recovery decisions should be owned by named leaders whose authority is agreed in advance and understood across security, IT, legal, and business teams. Ownership should be tied to specific actions such as declaring a crisis, approving communications, and setting restoration order. Undefined ownership is one of the fastest routes to paralysis.
👉 Read our full editorial: Cyber crisis readiness fails when plans outrun decision authority
