Incident Response Plans Often Fail Under Pressure, Experts Say
Cybersecurity incident response plans, despite significant investment and careful documentation, frequently falter when put to the test during a real-world breach. The reasons are often less about technological shortcomings and more about human factors – hesitation, poor communication, and a lack of realistic preparation, according to security professionals.
Jon David, Managing Director at NR Labs, explained in a recent Help Net Security video that attackers exploit vulnerabilities in trust, connectivity, and human behavior more often than they exploit technical flaws. He draws on years of observing attackers to highlight the common pitfalls that allow breaches to escalate.
A key issue is the difficulty teams have activating response plans when under duress. David points to a tendency for hesitation and inadequate escalation procedures, allowing attackers to gain ground while defenders struggle to coordinate. This is compounded by alert overload, which slows down decision-making processes, and a lack of clear information reaching executive leadership.
The consequences of delayed or ineffective incident response are substantial. According to a 2025 New Relic survey, high-impact IT outages now carry a median cost of $2 million per hour, translating to roughly $33,000 per minute, and result in annual losses averaging $76 million per organization. IBM’s “Cost of a Data Breach Report 2025” found that breaches contained within 200 days averaged $3.87 million in losses, compared to $5.01 million when detection and response took longer. Beyond financial costs, organizations face potential downtime, regulatory penalties, and reputational damage.
The problem isn’t necessarily the plans themselves, but rather the assumption that a written plan automatically translates to effective execution. As Daniel Kennedy, an analyst at S&P Global Market Intelligence, noted, some plans become overly technical and quickly outdated, while others are so vague they lack actionable steps. He emphasizes the need for plans that work “under pressure” by clearly defining roles and responsibilities.
Training and regular stress-testing are crucial components of a robust incident response strategy. Organizations often fall into the “training trap,” believing that simply having a plan is sufficient. However, without consistent training under high-stress conditions, teams are prone to mistakes, miscommunication, and poor decision-making.
The 2017 Maersk ransomware attack, which crippled the shipping giant’s operations by shutting down 49,000 endpoints and 1,200 applications across 600 global sites, serves as a stark example of the consequences of inadequate preparation. The attack forced Maersk to rebuild its entire IT infrastructure, highlighting the devastating impact of a poorly executed response.
organizations frequently document gaps identified during incident exercises or real-world breaches but fail to remediate them. Identifying weaknesses is only valuable if followed by concrete action to address those vulnerabilities. This requires a commitment to continuous improvement and a willingness to learn from past experiences.
David advocates for preparation that brings together security teams, leadership, legal counsel, and communications professionals *before* an incident occurs. This collaborative approach ensures that all stakeholders are aligned and prepared to respond effectively when a breach inevitably happens. Tabletop exercises, in particular, can help teams practice their response procedures and identify areas for improvement in a controlled environment.
successful incident response isn’t about having the most sophisticated tools or the most detailed plan. It’s about fostering a culture of preparedness, prioritizing clear communication, and empowering teams to act decisively under pressure. The human element, experts say, is often the deciding factor in whether a breach is contained quickly and effectively, or spirals into a prolonged and costly crisis.
