There’s something I’ve always found fascinating about incident response: even with all the incredible innovation in defense technologies, the true test of an organization often happens after something goes wrong. That’s when Incident Response (IR) really matters. A well-practiced IR program doesn’t just reduce damage in the wake of an incident. It accelerates recovery, restores confidence, ensures compliance, and strengthens the long-term resilience every organization needs.

Last week, we launched the first episode of Cyber at the Top, a new RSAC podcast where I get to sit down with CISOs from some of the world’s leading organizations and learn cybersecurity advice from the people who have actually lived it. The conversations so far have been inspiring. In the first episode, “Defining Strength: Building a Resilient Incident Response Capability,” I talked with Prentis Brooks, Head of Information Security at Lincare Holdings. I could only imagine the sheer volume of incidents that Brooks has experienced over his more than two decades on the front lines at companies like AOL, Time Warner Cable, and Royal Caribbean. I was curious to find out how he used his experience to build IR programs from the ground up. 

Defining a strong incident response capability

Brooks summed up a strong IR capability as “an organization’s ability to quickly identify, triage, and respond to cyberthreats.” It’s a simple definition, but a profound one. The true measure of an IR program is speed and effectiveness—how quickly you can contain, communicate, and manage everything that comes after the initial alert. I couldn’t agree more. He explained, “If you’ve had a major incident, you are going to spend way more time dealing with the after-effects of that incident than actually solving and containing that incident.” He shared three insights that really stood out to me as the necessary steps for a cyber leader to establish and continue improving their IR capability.

Insight One: Communication drives alignment

If there's one thing that came through loud and clear from Brooks, it’s that you can buy tools, build playbooks, and hire specialists, but none of it works unless people in the organization actually talk to each other. In those first 30 days of building an IR program, Brooks recommends establishing visibility, logging incidents, defining the IR team, engaging legal early, and securing an outsourced IR partner. But the most important thing for CISOs to do is bring stakeholders together to agree on who owns what before the crisis hits.

I’ve seen the best and worst of this pattern across countless organizations. When communication is lacking, there’s confusion, delayed response, and lack of confidence dealing with the public. When the IR plan is understood and socialized beforehand, it prevents chaos. As Brooks put it, “When you’re in crisis, you don’t want to be making these decisions and trying to figure it out.” Alignment builds speed, and communication builds trust.

Insight Two: Practice crisis management before a real incident occurs

One thing I’ve learned—sometimes the hard way—is that staying calm in a crisis is a skill you have to build over time. I remember being on an important call once with regulators and senior government leaders. As I was presenting, I noticed out of the corner of my eye the largest spider I’d ever seen, lowering itself from the ceiling, slowly and deliberately, right in line to land on my head.

My instincts took over. I shut off my video, slammed my laptop closed, and I’m not too proud to admit it, I yelled at the spider. When I finally sat back down, I realized I had never muted the call. The regulators heard all of it.

It was a humbling reminder that when things get chaotic, we default to the instincts we’ve practiced, not the polished version of ourselves we’d like to imagine. For cyber leaders, practice and preparation are everything. During an incident, the information won’t be perfect, the pressure will be high, and the people around you will be looking for direction. I've learned from so many great cyber leaders that the ones who maintain calm are the ones who’ve practiced that calm long before the real crisis hits.

That’s why experience, mentorship, and crisis management exercises matter so much. As Brooks says, “The little incidents prepare you for the big one.” Treat every minor issue and drill as a rep that builds the muscle you’ll need when the stakes are real.

Insight Three: Test and continuously update

One misconception about IR programs is that once they’re written, they’re done. But as anyone in this field knows, nothing ages faster than a cybersecurity document. Brooks recommends reviewing IR programs at least once a year, and more often for global organizations. If the volume of incidents is low in your organization, run your simulations. As you go through your training and testing exercises, you may identify gaps and potential areas for improvement. You’ll also need to account for any changes in threats, new adversaries, or changes to your organization’s crown jewels. Brooks put it best: “Don’t just put it on a shelf and never touch it again.” A resilient IR capability is a living system—one that grows and adapts as the organization evolves.

Move forward with confidence

My conversation with Brooks reinforced something many of us know but often overlook: IR is built on people, communication and practice. Whether you’re new to a role or seasoned in the trenches, start by getting everyone aligned on responsibilities. Then practice and test early and often. And keep refining your program as new threats and technologies emerge.

We covered even more in the podcast episode, including how AI is reshaping the future of incident response. I invite you to listen to the full episode or watch the video to hear our full conversation.