How should executives make high-stakes decisions during a cyber incident when critical information is incomplete or rapidly changing? What leadership behaviors help organizations maintain trust, clarity, and operational control during a major cyber incident? How can enterprise leaders avoid cognitive biases and decision fatigue while guiding their teams through a prolonged cyber incident?
A cyber incident places enterprise leadership under intense pressure, transforming what might appear to be a technical disruption into a full-scale organizational crisis. Executives must navigate competing demands from regulators, customers, employees, and shareholders while responding to attackers who actively exploit confusion and delay. In these moments, success rarely depends on perfect planning alone. Instead, strong leadership during a cyber incident requires decisive judgment, transparent communication, and the ability to adapt quickly when incident response plans inevitably encounter unexpected obstacles.
Effective decision-making during a cyber incident also depends on managing the human and psychological dimensions of crisis leadership. Cognitive biases, time pressure, and decision fatigue can distort judgment, while blame and fear can undermine collaboration across teams. By fostering psychological safety, aligning technical and advisory teams, and maintaining disciplined communication, executives can preserve clarity and momentum throughout the response. Ultimately, organizations that emerge strongest from a cyber incident are those led by leaders who balance rapid action with thoughtful analysis and use the experience to strengthen resilience for the future.
Technological advancement is accelerating—and digital attackers are taking full advantage. From sophisticated fraud and phishing campaigns to AI vulnerabilities, enterprise-wide digital transformation is driving a rapid increase in certain types of cyber risk, according to the World Economic Forum. And with outcomes like operational disruption, damaged customer and team relationships, and revenue loss on the table, enterprise leaders are under increased pressure to prepare.
The problem? Even the best-laid plans aren’t foolproof. Few response strategies survive first contact with an active cyber incident.
What defines your organization isn’t just how you prepare—it’s the act of preparing and practicing, which will drive the quality of your reaction during the incident and in the days and weeks that follow. During a cyberattack, small decisions can quickly compound into a years-long impact on your business’s trajectory. This isn’t the time for rigidity or uncertainty. It’s the time for steady authority, decisiveness, good judgment, and clear communication.
You don’t (and won’t) have to have complete information or navigate the chaos flawlessly. When your enterprise is in crisis, decisive leadership is what gets you on the road to recovery.
The Executive Reality of a Cyber Incident
An enterprise cyber incident is not just an operational disruption or a system failure. For executives, it’s a reality-altering event. It isn’t just another “IT Outage”; you are being attacked by someone whose goal is to do you harm.
In today’s digital age, I’ve seen critical enterprise aspects—core systems and processes, customer communications, revenue streams, and data archives—become increasingly interconnected. As a result, the more complex the attack, the more functions and assets are compromised—and the fuller your plate becomes.
Once a breach is identified, enterprises shift into crisis mode. Board members and shareholders want clarity. Regulators demand consistent, defensible governance. Customers need reassurance of your responsiveness and their data security. Employees want direction. And they’re all speaking at the same time, calling for immediate answers you may not yet be ready to give; all while the attacker is attempting to use this confusing time to their advantage.
This is why cyber incidents are so uniquely disruptive at the leadership level. You’re no longer following carefully-laid plans; you’re making minute-by-minute judgment calls based on incomplete information as details come in. All while navigating a collision of psychological strain, legal and reputational risk, and operational stakes.
The strongest leaders prioritize decisive forward momentum over emotional reactivity. Now isn’t the time to panic; it’s the time to minimize losses in customer trust and enterprise reputation. That’s how you bring your business through the crisis.
One of the best examples of this? The 2019 Norsk Hydro ransomware attack. The virus was devastatingly efficient—but executives didn’t falter. Manual processes kept the business operational during the months of downtime. Systems were thoroughly cleaned or rebuilt. Daily press conferences were held to clarify the situation and protect their standing. Through flexibility and transparency, the company became a model for effective breach response.
Reframing the Situation: You Are the Victim, Not the Failure
It’s easy to feel weighed down by a digital crisis, framing it as the result of your own shortcomings. In the heat of an attack, I like to remind executives that cyber incidents aren’t proof of flawed strategies or leadership. They’re a criminal act, and you’re the victim.
Equally important is this: Assigning blame helps no one. Instead, it can directly and indirectly hurt your organization’s cohesion and security:
- Fear of social and professional consequences drives silence, not honesty. Scared employees are less likely to report potential incidents, particularly if they were the catalyst. This is particularly dangerous when you consider that Verizon’s “2025 Data Breach Investigations Report” found 60% of breaches assessed were enabled by human actions. And as a result, attackers are given free rein to linger in your systems, collecting information and causing further damage.
- When executives blame themselves, grounded judgment erodes. Uncertainty is injected into every action, slowing response times and shaking employee confidence in your capabilities. Your effectiveness as a leader is sharply reduced—and, with it, your company’s and team’s ability to survive the crisis.
Remember: In high-pressure moments, clarity at the top prevents chaos below.
How to create a culture of psychological safety during a cyber incident:
- Build emotional resilience. This tool keeps you focused and emotionally regulated even in crises, improving your decision-making and management capacities.
- Avoid unnecessary condemnation. Blame-free environments allow teams to steadily execute their tasks and move recovery efforts forward.
- Provide regular updates. Consistent communication offers reassurance to customers and external team members, mitigating the negative impacts of the attack.
- Practice mental discipline. Controlled thinking paves the way for “why,” rather than “who,” focused responses, driving system improvements to better defenses against future attacks.
When Even the Best Plans Start to Break Down
We all have an incident response plan. On paper, it looks thorough, measured, and actionable. It assigns roles, defines procedures, and maps out methods of resolution. Our strategy is the perfect response to any crisis.
And then a cyber incident occurs, and the plan falls apart.
This isn’t because it was poorly constructed. It’s because, when we create these strategies, we’re usually planning for an ideal scenario. But people don’t always behave in predictable ways, and we can’t anticipate every unknown variable. I’ve seen cases where the attacker has access to your plan and is tailoring the attack around it; nothing is predictable.
Under pressure, authority blurs. Coordination slows. Strategies built around systems that have gone dark falter. Media and regulatory scrutiny ratchet up internal tensions.
Planning prepares you for scenarios. Balanced action gets organizations through real-time chaos. Here’s how this looks in practice:
- Attackers are unlikely to follow a predictable path in their techniques and entry points. Deviating from set response structures and making strategic in-the-moment decisions—like shutting down a system to protect data even though it will harm operational capacity—can mean the difference between a localized and systemic cyber incident.
- Adherence to protocols. This is a necessary step in maintaining legal compliance. By engaging expert assistance, notifying relevant bodies (think GDPR, etc.) and affected individuals, preserving evidence, and tracking enterprise actions, you can minimize liability post-incident.
Every enterprise has a plan, but not every enterprise knows what to do when that plan fails. The most effective leaders know when to follow rules and when adaptation is the best way to protect their company, their employees, and their customers.
Decision-Making Under Stress and Uncertainty
When you’re in the middle of a cyberattack, time is a constant source of pressure.
The clock starts ticking the moment the breach is flagged. Suddenly, your to-do list is jam-packed and continuously growing. Small decisions—who you speak to, what you disclose, how you react in the moment—carry massive consequences for minimizing losses, liability exposure, reputation, and revenue. And many of them are made based on incomplete or incorrect information.
This combination of perceived time scarcity, decision stress, and partial data is where judgment becomes distorted.
In a crisis, even the most experienced executives can fall prey to cognitive traps. Some of the most common biases I’ve seen include:
- Optimism bias: Assuming positive outcomes will occur and adverse outcomes will not. As a result, executives become complacent, disregard indicators, and make inaccurate threat assessments.
- Anchoring bias: Placing an over-weighted importance on the first piece of information received. This trap leads to an overreliance on initial data during a cyber incident, resulting in flawed assessments and responses.
- Decision fatigue: When overwhelm impairs decision-making. In a crisis, this bias leads to delayed responses and increased errors.
These aren’t inherent flaws. They’re predictable human responses that intensify under crisis conditions. But when every minute matters, unmanaged biases become an operational risk.
When these thinking traps drive your response, you face a dangerous crossroads. Delays in crisis containment deepen functional and reputational damage, while speed without discipline leads to irreversible risk-taking. For example, wiping systems (and destroying critical evidence) to hasten clean-up and restore operations. The leaders who successfully navigate cyberattacks are those who can balance quick responses with careful, fact-based consideration, protecting their organization in the long run.
Aligning Leadership, Advisors, and Technical Teams During Sustained Crises
Clarity is hard to come by during a crisis.
The uncertainty surrounding cyberattacks has everyone speaking up at once. Legal teams want precise actions and full disclosure to mitigate liabilities and losses. PR teams want to prepare a controlled release of information to protect your reputation and prevent panic. IT teams want more time to analyze the breach before starting containment efforts. External partners want regular updates on what’s going on and how you’re responding—even if you don’t yet know the answer.
Trying to manage all of this can turn an already strained situation into a bottleneck. That’s why your role as an executive is to synthesize these inputs. To assess these competing pieces of information, align them with your current enterprise priorities, and make a clear decision. This allows you to maintain your authority while still relying on expert guidance to navigate your enterprise through a prolonged crisis.
Remember: Most cyber incidents resolve in days or weeks, not hours. Containment is only the first step. What follows is incident analyses, impact assessments, meetings, and regulatory work. Once the threat is completely eradicated—a process that took over a month in nearly 1 in 5 incidents analyzed in the SANS Institute’s 2025 security report—operations can be restored, and rebuilding can begin.
How to preserve judgment quality and prevent decision fatigue:
- When one team handles everything, burnout follows. Establish decision ownership early—what needs to come to executives, what requires cross-functional management, and what can be delegated to other teams—to improve response quality.
- As new facts come in and the incident moves toward resolution, take a moment to consider changes to existing decision-making structures.
- For example, releasing crisis teams and giving IT departments greater independence. At the same time, continue listening to expert opinions, strengthening perceptions of accountability and authority through strong judgment calls and a willingness to listen.
Managing the Human Dimension of the Incident
Cyber incidents affect enterprise teams just as much as they do systems. And as a leader, it’s your job to support them.
Even as they continue working diligently, employees may feel:
- When disaster strikes, people begin to mull over past actions, questioning whether they played a part. Did they click on a phishing link? Miss an indicator? Give access to the wrong person? Even blameless individuals can internalize the outcome as a personal failing, harming response speed and accuracy.
- Resolving cyberattacks demands around-the-clock work, and direct-response teams—cybersecurity, IT, legal, PR—get the worst of it. With so much to do, overwhelm can strike quickly, leaving critical teams unable to manage their tasks effectively.
- How did this happen? What does it mean for the company? Uncertainty spreads quickly during a cyber incident, making focus and measured decision-making difficult.
In these moments, executive tone sets the direction for the entire enterprise.
When you practice balance, transparency, and accountability without unnecessary blame, tensions settle. Teams reorient themselves from present concerns to next steps.
Here are some actionable steps I’ve seen keep team-wide trust and understanding intact during a breach:
- Communicate regularly. Updating your team as new information becomes available is the best way to fight uncertainty. The more they know about the situation and your priorities, the more confident they’ll be in your direction. This applies to the team working for you, as well as the team around you (Boards, key stakeholders, etc.)
- Keep trust intact. External pressures—media narratives, partner and customer demands—can wear on team perceptions of executive authority. Meanwhile, internal tensions erode trust among coworkers. By offering consistent messaging and a strong strategy, team cohesion is maintained.
- Support well-being. Your employees can’t sustain high-quality performance for days or weeks without help. Take a proactive approach to reducing anxiety and burnout by implementing measures like rotating shifts and enforced downtime. You have to plan for the marathon of full remediation while running the sprint of immediate response.
Post-Incident Perspective Without Hindsight Bias
I’ve talked to many executives who’ve handled a cyber incident and seen each experience a shift in perspective in the time that follows. In the moment, we do what feels right for our company and our customers based on the limited data available to us. Then, weeks and months later, we review our actions with all the information neatly laid out. Causes, effects, timelines. Where crisis is messy and complex, hindsight is clean and orderly—and it convinces us that the problems and solutions should have been obvious.
Instead of letting these retrospective evaluations prompt unfair self-criticism, it’s essential to take a more objective approach. Examine response speed, communication rates, and resolution paths. Adopt a self-reflective mindset and consider how you’d change your own responses. Then, use these lessons to inform future strategies, from tightening system gaps to developing realistic incident simulations designed to improve your crisis response capabilities.
Cyber incidents are inevitable. Leadership responses aren’t. Executive growth comes from understanding our weaknesses and choosing to improve—sharpening judgement, discipline, and adaptability for when it matters most.
