Threatonomics

The essential guide to cyber incident response leadership and decision making

by Emma McGowan , Senior Writer
Published

From tabletop exercises to real incidents —why preparation determines outcomes

When 43% of UK businesses report experiencing a cyber breach or attack in just the past year, the question isn’t whether your organization will face a cyber incident—it’s how well you’ll respond when it happens. 

This stark reality was at the center of a recent webinar hosted by Resilience, featuring insights from Scott Tenenbaum, Head of North American Claims, and Graeme Manzi, Security Risk Services Lead for UK & Europe. Their combined experience—Scott with “hundreds of incidents” and Graeme’s background spanning Royal Marines Commando communications systems to cybersecurity consulting before, during and after an incident—offers a roadmap for organizations seeking to build true cyber resilience.

Why traditional models are breaking down

The cybersecurity landscape has fundamentally shifted, and the numbers tell a sobering story. According to Manzi, “the average breakout time, which is the time from initial access to lateral movement just continues to drop.” The data is striking: CrowdStrike’s 2024 report showed this critical window dropped from an average of an hour and a half to just an hour between 2022 and 2023, while the fastest time they recorded for that breakout was just two minutes.

This acceleration has led to an evolution beyond traditional incident response frameworks. The venerable PICERL model, developed over 20 years ago, “brought order to chaos and created that initial structure” when “attacks evolved much more slowly,” Manzi explains. Similarly, while NIST 800-61 Rev. 2 “became the default in particular, because it scaled better” and “aligned with regulatory expectations,” it too was designed for a different era.

Recognizing these limitations, NIST 800-61 Rev. 3 represents the latest evolution in incident response models, designed to address the increasing speed and complexity of modern cyberattacks. Released in April, Rev. 3 aligns with the NIST Cybersecurity Framework (CSF) version 2.0, which encompasses six core domains: govern, detect, identify, protect, respond, and recover.

A significant change in Rev. 3 is its repositioning of incident response as a continuous, organization-wide function spanning all six domains. As Manzi notes, “if you are still using Rev. 2 in isolation, your response plans may well be well structured, but it may be not fully aligned with how instant response operates today in an integrated risk driven environment.”

Enter the DAIR model (Detect, Analyze, Investigate, Respond), which “reflects how today’s incidents actually unfold. They’re fast, they’re messy and ideally intelligence driven. It’s nonlinear by design. It’s the modern model for modern attacks.” NIST Rev. 3 is quite well aligned with this approach, acknowledging that modern incidents require extensive feedback loops for continuous re-scoping as new information emerges.

Both frameworks reinforce the need for a coordinated, cross-functional response during an incident. As Manzi emphasizes, incident response is a “team sport, particularly in a severe incident. It’s going to require a cross-functional response. It’s not just the security or IT team. It’s going to involve legal communications, cloud infrastructure, executives, lots of different people.” The crucial point is that everyone needs to know their roles and responsibility before pressure hits.

The four pillars of effective response

When a cyber incident unfolds at breakneck speed, organizations need more than just detection—they need the ability to rapidly contain and respond, effectively “pulling up the digital drawbridge” to limit the severity and scope of the attack. This containment capability, honed through practice and preparation, can mean the difference between a minor security event and a business-threatening crisis.

The goal isn’t just to identify what’s happening, but to systematically tighten security controls across your environment, limiting an attacker’s ability to move laterally and cause further damage. As Manzi explains, effective response requires a coordinated approach that protects multiple digital assets in a proportional and premeditated manner while “limiting the adversary without simultaneously disrupting business operations and trying to preserve forensic value.”

When seconds count, response teams need a clear framework for action. Manzi identifies four critical elements that effective response actions must address.

1. Endpoints and devices

The first line of defense involves quarantining compromised endpoints, fast using automation and ADR tools. As Manzi notes, “that two minute breakout time is only possible with automation. So we need to counteract that as well with automated response.”

2. Networks

Network containment focuses on using firewalls and network access policies to block malicious traffic and contain affected segments in order to limit the blast radius of an incident.

3. Identities

Perhaps most critically, teams must focus on disabling or resetting high risk accounts immediately. Manzi poses a crucial question every organization should answer: “How easily could your organization do a global password reset?” Recent high-profile incidents have shown this capability can be a key factor to successful response or not.

4. Permissions

The final pillar involves rapidly stripping excess permissions, especially from administrator and service or privileged and service accounts. The goal is implementing true least privilege, not just paying lip service to the concept.

Practice makes perfect (or at least prepared)

The webinar emphasized a fundamental truth about crisis response: “You don’t rise to the occasion. You fall to the level or the standards of your preparation,” says Manzi, drawing from performance psychology principles. Yet many organizations resist comprehensive testing. 

“Something that can be hard to overcome is that it’s an exercise, not a test,” Manzi explains. “It’s not about passing or failing. It’s about building capability.”

And the stakes for getting this right have never been higher, as regulators are increasingly requiring regular incident response testing, as seen in DORA and NIS 2.

The good news? Organizations don’t need to start with complex scenarios. Manzi recommends a few different exercises:

  • Tactical walkthroughs for testing procedures, task ownership, escalation, logic and developing specific playbooks.
  • Blue team exercises that provide safe controlled environments designed to develop technical skills.
  • Purple teaming for advanced organizations seeking the dynamic environment of what it would be like with a real attacker.
  • Strategic exercises that test how leadership decisions are going to be made.”

Leading during the critical first 30 minutes

Perhaps nowhere is preparation more crucial than in leadership response. As Manzi puts it: “The first 30 minutes of a crisis, can define or decide the next 30 days.”

One of the most practical insights from the webinar involves separating leadership roles during an incident. Based on real-world experience, the recommendation is clear: separate the leader from the manager of the incident. The leader should focus on strategic priorities, briefing executives, managing the impact, while the manager coordinates the technical actions, containment, forensics, and timelines.

“Combining both roles, creates bottlenecks, burnout, and confusion,” Manzi says. “And it’s just too much, really, for one person to do really well.”

The importance of building relationships before crisis hits

While technical controls are essential, Scott Tenenbaum’s experience reveals that preparation extends beyond security tools. He emphasizes the importance of ongoing engagement with customers throughout the policy lifecycle, not just when breaches occur. Here’s what he recommends.

Know your policy reality

Many organizations don’t realize that extortion coverage operates as a reimbursement policy, meaning companies must front potentially significant funds—from $25,000 to over $1 million—before insurance kicks in. There’s also an often-unused proof of loss sublimit providing $50,000-$100,000 for hiring forensic accountants to prepare business interruption claims.

Build your response team early

Establish relationships with specialized professionals before crisis strikes. These resilient service providers offer reduced rates and crucial expertise in what Tenenbaum describes as “very specific type of work, and you want the people with the experience in that work.”

The alternative is costly. Tenenbaum frequently encounters organizations that want to use familiar counsel—perhaps a partner at a big law firm who they think handles cyber cases, or lawyers they know socially. His assessment is direct: “Some of the worst claim experiences I have had have started with some of those comments.”

Equally important: don’t use your managed service provider for post-incident forensics. As Tenenbaum puts it with a stark analogy, you wouldn’t have a suspect investigate their own crime and report back to you.

Regular tabletop exercises conducted when there’s no pressure help clarify roles and answer the critical question of who gets the first call during an actual incident. This preparation ultimately determines whether organizations achieve coordinated responses or descend into chaos.

The importance of including your insurance company during an incident

Scott Tenenbaum’s experience handling hundreds of cyber claims provides valuable perspective on what separates successful responses from disasters. The numbers speak volumes: 78% of Resilience clients recovered without paying a ransom in a ransomware situation and, in cases where payment was necessary, they worked with Resilience professionals so that the team and the insured were able to reduce payments by about 70%.

But these outcomes don’t happen by accident. They require working with specialists who understand the unique demands of cyber incidents. Tenenbaum frequently encounters organizations that want to use familiar counsel, like “my son is friends with a partner at a big law firm, and I think they do cyber,” or companies that “play golf with some lawyers who, I think, could handle this.”

The reality? “This is very specific type of work, and you want the people with the experience in that work,” Tenenbaum emphasizes. “Some of the worst claim experiences I have had have started with some of those comments.”

Where to start building resilience

For organizations looking to improve their cyber resilience, the experts offer clear guidance:

  1. Start with tabletop exercises: You wouldn’t try and run your first marathon without training. You don’t want to wait for a real incident to put your team and the wider organization under pressure.
  2. Establish clear roles before any crisis: Everyone needs to know their roles and responsibility before pressure hits.
  3. Build relationships with specialists: Engage with cyber-focused legal counsel and forensics firms before you need them.
  4. Practice the fundamentals: Can your organization execute a global password reset? Do you know who your critical vendors are and what happens if they’re compromised?

As Manzi concludes: “Resilience through readiness is what limits damage, protects reputation, and keeps you compliant when it really counts.”

In an era where cyber threats move faster than ever, preparation isn’t just good practice—it’s the difference between a manageable incident and a business-threatening crisis. Remember: The question isn’t whether your organization will face a cyber incident, but whether you’ll be ready when it arrives.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]

The Security Squeeze

One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most […]

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers. Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the […]

Navigating the growing personal liability facing CISOs

Let’s not mince words: The threat of personal liability and potential criminal charges for CISOs has become a legitimate concern. At a recent “CISOs Off the Record” panel hosted by Resilience at the 2025 RSA Conference, three experienced CISOs talked about the growing trend of CISOs being found personally liable for actions they take at […]

Does the proposed UK ransomware payment ban take things too far?

Cowritten with Henry Westwood, Resilience Cyber Underwriting Manager Simon West, Resilience Head of Customer Engagement The UK government recently launched a consultation on legislative proposals to combat ransomware attacks, one of the most significant cyber threats facing organisations today. As cybersecurity professionals working with organisations across various sectors, we’ve carefully examined these proposals and offered […]