Why Most Incident Response Plans Fail and What to Do Instead
What To Do Instead Of Asking For An Incident Response Plan
If you want to know whether a company is truly ready for a cyber incident, do not ask for the incident response plan. They will hand you a document that looks impressive. It will be formatted. It will have sections. Someone probably spent real time putting it together.
Instead, ask a more straightforward question.
“Do you trust that this plan will work at two in the morning when everything is breaking?”
I have asked that question for twenty-four years. Most CEOs look down, take a breath, and quietly say, “I am not sure.”
That uncertainty is where most incident response failures begin. They do not fail during the incident. They fail in the months and years before the crisis ever arrives.
You do not have to take my word for it. The last two years of research, from IBM, Verizon, CrowdStrike, Palo Alto, and others, tell the same story we see in the field every week.
The plan is written once and never tested
The IBM Cost of a Data Breach Report for 2024 found something important. Companies that test their incident response plans regularly save roughly $1.5 million per breach compared to those that never test them.
Think about that. You do not have to rewrite your plan. You do not have to buy a new tool. You simply have to practice.
Yet the 2024 ISC2 Readiness Study found that only 44% of companies test their plans once a year. More than a quarter have never tested them at all.
This matches what we see in our assessments. Most plans are created once, approved, and filed away like a first aid kit everyone assumes works even though nobody has opened it.
Your first incident should never be your first rehearsal. Most plans fail because they are untested, not because they are wrong.
The plan depends on tools instead of people
CrowdStrike’s 2024 Global Threat Report reinforced something every CEO should understand. Breaches rarely happen because technology stops working. They happen because teams are not prepared to act when technology alerts them to trouble.
Verizon’s 2024 DBIR reported that nearly three-quarters of breaches involved the human element. Not firewalls. Not encryption. People.
That is why so many incident response plans fail. They read like product manuals instead of playbooks.
Tools do not make decisions. People do.
If your plan cannot answer who does what in the first ten minutes, you do not have a plan. You have a list of software names.
No one knows who is actually in charge
In any emergency, the most important person is the one with the authority to make decisions. Stop certain systems. Continue others. Shut something down. Notify the right people. Contain the damage.
You would be surprised how many organizations cannot answer one simple question.
“Who is the incident commander?”
Palo Alto’s 2024 Incident Response Review found that the leading cause of prolonged incidents was not the sophistication of attackers. It was internal indecision.
We see the same thing. The technical problem might be resolved in hours. The leadership problem drags on for days.
Incident response collapses when everyone believes someone else has the wheel.
A plan without clear ownership is not a plan. It is a hope.
Communication breaks faster than systems do
Sophos reported in its 2024 ransomware study that reputational damage now exceeds technical damage in many cases. Not because the attack is more complex, but because communication falls apart.
Employees hear one thing, customers hear another, legal wants caution, PR wants silence, the CEO wants clarity, and IT wants everyone to slow down. That is how a cyber event turns into a business crisis.
If your incident response plan does not include a communication strategy, you have a technical document, not a response plan.
And we all remember what happened in 2024. CrowdStrike gave the entire world a masterclass, not in cybersecurity, but in how quickly the modern world falls over when one update goes sideways. You did not need an attacker for that one. You needed a single change in the wrong place at the wrong time.
If that does not prove the importance of people, process, and testing, nothing will.
The plan is not tied to the business
This is where CEOs feel the pain the most.
Incident response is not about alerts and logs. It is not even about the attack itself. It is about business survival.
Yet most IR plans do not answer the questions that matter.
- How long will we be down?
- What is the cost per hour?
- Who must we notify?
- What will our insurer require?
- What will our lender or buyer assume?
- What are the legal obligations?
- How do we protect valuation?
Ponemon’s 2024 findings showed that the average downtime following a major ransomware event is 22-24 days. If your business loses two hundred forty thousand dollars per day, which is common in many mid-sized operations, you are looking at more than five million dollars in losses before you ever get back to normal.
If your plan does not tie response to business impact, it is incomplete.
A quick note on AI in Incident Response
The practitioners who live inside incident response every day agree that AI will help teams move faster, but it will not fix the core problems that cause plans to fail. It will not solve unclear ownership, poor communication, or leaders who freeze when decisions matter most. At best, AI will amplify the discipline you already have, and at worst, it will expose the lack of it. In other words, even the future will still reward preparation.
The self-evident truth
Every CEO eventually comes to the same realization.
Incident response plans do not fail during the attack. They fail in preparation.
- They fail because no one practiced.
- They fail because roles are unclear.
- They fail because communication is not defined.
- They fail because leaders are unprepared.
- They fail because the plan was written for IT rather than for the business.
Once a crisis begins, all of that becomes obvious.
The stove is hot. Water is wet. And untested plans fail.
Conclusion
Most companies assume their incident response plan will work because it exists. That is the kind of thinking that creates seven-figure losses and multi-week outages. You cannot prevent every incident, but you can avoid most of the damage. It starts with preparation, practice, clarity, and leadership.
If you lead a company that relies on technology to operate, or if you plan to sell your business in the next few years, this is not a technical exercise. This is a financial and operational responsibility.
The companies that respond well to the market protect value. The ones that respond poorly give it away. The choice is made long before the incident begins.
If you want to know whether your plan would hold up at two in the morning, you can always reach out. It is better to find the gaps now than discover them when the clock is ticking.
PS
My dad had a blunt way of teaching the difference between wishing and preparing. In incident response, that lesson holds. Only preparation moves the needle.
Byline
Mike Fitzpatrick is the Founder and CEO of NCX Group, a cyber risk management firm with more than 24 years of experience helping CEOs, private equity teams, and business owners protect value, strengthen resilience, and prepare for the financial realities of cyber risk. Learn more at NCXGroup.com.
Repost from LinkedIn – https://www.linkedin.com/pulse/why-most-incident-response-plans-fail-what-do-instead-fitzpatrick-z4e7c/
Let’s Talk
If it’s been more than a year since your last cybersecurity assessment—or if you’ve never done one—now is the time.