<p>Like the best-laid plans of mice and men, even the best-intentioned cybersecurity <a href=”https://www.techtarget.com/searchsecurity/definition/incident-response”>incident response</a> plans can go awry. When they do, the consequences can be ugly, as many organizations have discovered in recent years.</p>
<p>A 2025 survey of 1,700 IT and engineering professionals by New Relic reported that high-impact IT outages now carry a median cost of $2 million per hour — roughly $33,000 every minute — and result in annual losses averaging $76 million per organization. The longer an incident drags on, the greater the damage. IBM’s “Cost of a Data Breach Report 2025″ <a target=”_blank” href=”https://www.ibm.com/reports/data-breach” rel=”noopener”>found</a> that breaches contained within 200 days averaged $3.87 million in losses, compared with $5.01 million when detection and response took longer.</p>
<p>Cost is not the only issue. Organizations can also face prolonged downtime, regulatory penalties and reputational damage from long-tailed incidents.</p>
<p>When incident response plans fail or don’t work as intended, the reasons can be complex and varied. Causes range from gaps in team coordination, unanticipated system failures, inadequate threat intelligence and attackers exploiting previously unknown vulnerabilities.</p>
<p>Security analysts pointed to several likely culprits for incident response plan failures.</p>
<section class=”section main-article-chapter” data-menu-title=”Complex or vague plans”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Complex or vague plans</h2>
<p>Poorly written plans with incomplete problem cases and responses can stymie incident response efforts. So, too, can overly detailed checklists that don’t fit reality or high-level fluff with no actionable steps.</p>
<p>”Some plans I’ve seen become overly technical and are out of date the moment they’re completed,” said Daniel Kennedy, an analyst at S&P Global Market Intelligence. “Some start to read like a legal policy document and, thus, the people who have to execute steps in the plan don’t understand what they’re supposed to do.”</p>
<p>The key, according to Kennedy, is to <a href=”https://www.techtarget.com/searchsecurity/tip/How-to-create-an-incident-response-playbook”>develop incident response plans</a> that work under pressure by clearly defining who does what. Plans must be technical enough to guide actions, but clear enough that responders understand their roles. Getting stakeholder input and senior leadership buy-in during planning, though difficult, pays off when an actual incident occurs.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Unclear roles and responsibilities”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Unclear roles and responsibilities</h2>
<p>Bad things can happen when no one knows who’s in charge or what they’re supposed to do during an incident.</p>
<p>Successful plans establish explicit decision-making hierarchies with preauthorized response actions that don’t require real-time approval, said Mari DeGrazia, certified SANS instructor and director of incident response at IDX.</p>
<p>”Teams know exactly who can authorize network isolation, system shutdowns or external communications without waiting for executive approval during critical moments,” she said. “This includes having things like presigned legal agreements with forensics firms, clear spending authorities for emergency resources and documented escalation triggers that automatically activate additional response capabilities.”</p>
<p>Kennedy added, “A common problem occurs when senior managers without clearly defined incident response roles insert themselves into active incident response, overriding established procedures and previously agreed-upon response steps. That person usually has enough organizational power to start people doing other things, or can demand people stop to answer their questions, but hasn’t invested enough time in knowing the plan that was carefully written in calm seas.”</p>
<p>Though often well-meaning, such interference can derail an entire response process.</p>
<p>”Having a very senior resource, even C-level, be involved with and approve the carefully written planning steps can overcome this issue,” Kennedy said.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Inadequate tooling and access”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Inadequate tooling and access</h2>
<p>Incident response plan failures can also occur when responders lack the necessary tools, credentials or permis
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: