When Cyber Incidents Strike, Internal Chaos Often Outweighs The Attack

When a cybersecurity breach occurs, the speed of response is crucial. However, it’s not the attackers or the malware that slow down teams the most – it’s often internal confusion and chaos. The 2025 State of Cyber Incident Response Management (CIRM) Report highlights a stark reality: internal misalignment can create more chaos than the actual attack. This report, based on responses from 480 senior cybersecurity leaders, including 165 Chief Information Security Officers (CISOs), reveals a consistent pattern across industries.

Understanding the Chaos

The study shows that decision ownership shifts during an incident, legal and communications teams join too late, and the proliferation of tools creates friction when every second counts. Moreover, too few organizations rehearse the complex scenarios that real breaches bring, leading to a collapse of plans under pressure. The problem isn’t a lack of technology, but rather the inability to execute effectively. According to Nimrod Kozlovski, founder and CEO of Cytactic, embracing AI-powered technologies is key to minimizing damage during cyber incidents and moving towards strategic incident response management.

Identifying the Breakdown Points

The chaos is often rooted in authority gaps, with over half of the leaders stating that decision ownership changes mid-incident, and 41% admitting to delaying action due to unclear authority. Teams wait for direction, data continues to move, and the window to contain the breach narrows. Tim Brown, CISO of SolarWinds, emphasizes the importance of practicing real-world scenarios to prepare for the pressure of an actual breach. Without such rehearsal, plans remain mere wishful thinking.

The Challenge of Siloed Teams

Joshua Ferenczi, head of Innovation Lab at Cytactic, points out that a core weakness is the rare collaboration between different functions before an incident. When legal, communications, and security teams converge for the first time during a breach, friction is inevitable. Both Brown and Ferenczi agree that AI can bridge these divides by connecting the dots and providing a common narrative that gives teams confidence in their response. AI can also serve as a translation layer, simplifying complex information for different stakeholders.

Lessons for Cybersecurity Leaders

The report highlights three urgent priorities for leaders: rehearsing cross-functional simulations, codifying decision rights, and using AI to reduce friction. By rehearsing like they mean it, leaders can ensure readiness, not just awareness. Codifying decision rights and pre-approving thresholds for critical actions can streamline response times. Finally, leveraging AI to unify fragmented tools and correlate signals can reduce the drag around human judgment, allowing for faster and more coordinated incident response.

From Chaos to Orchestration

The conclusion is clear: organizations aren’t losing the battle against attackers due to a lack of tools, but because their processes are too slow. Technology plays a role, but the real differentiator is how well it is integrated into practiced, cross-functional workflows. By building a culture and process that can withstand pressure, organizations can turn potential chaos into coordinated execution. Structured playbooks, realistic simulations, and stronger collaboration between technical, legal, and executive teams are essential for resilient incident response.