By Senior Contributor,Tony Bradley

Copyright forbes

Breach damage often stems from internal chaos, not attackers. Clear authority, rehearsal, and AI-driven coordination are key to faster, smarter response.

When a breach hits, speed matters. But the thing that slows teams most isn’t the malware or the exploit—it’s confusion. The 2025 State of Cyber Incident Response Management (CIRM) Report shows a hard truth: internal misalignment often creates more chaos than the attacker.

Plans look good on paper, but under pressure, they collapse.

The study—based on responses from 480 senior cybersecurity leaders, including 165 CISOs—reveals the same pattern across industries. Decision ownership shifts. Legal and communications join too late. Tool sprawl creates friction when seconds count. And too few organizations rehearse the messy scenarios that real breaches bring. The problem isn’t a lack of technology. It’s the inability to execute.

Nimrod Kozlovski, founder and CEO of Cytactic, put it plainly: “To move from this chaotic reality to strategic incident response management, organizations must embrace disruptive, AI-powered technologies to minimize damage when cyber incidents strike. The report makes it clear: preparing before and executing well at the time of an incident is critical to lessening the brand and financial damage of a cyber attack. With the vast majority of security leaders citing internal chaos due to lack of authority, clarity and coordination under pressure, causing more chaos than the threat actor itself, the need for structured, well-orchestrated tools is undeniable.”

Where Plans Break Down

That chaos is often rooted in authority gaps. More than half of leaders said decision ownership changes mid-incident, while 41% admitted they’ve delayed action because no one had final authority. Teams wait for direction, data keeps moving and the window to contain narrows.

Tim Brown, CISO of SolarWinds and a board advisor to Cytactic, explained that the real issue is how organizations prepare. “People say they should practice, want to practice, but then when it comes down to it, the things that they practice are not kind of meaningful enough in many ways. They need to be able to practice real-world scenarios, get the people together in a realistic setting, so that they’re ready to work closely under pressure.” Without that rehearsal, paper plans are little more than wishful thinking.

MORE FOR YOU

The Silo Problem

Joshua Ferenczi, head of Innovation Lab at Cytactic, added that a core weakness is how rarely different functions work together before an incident. “A lot of what we see, especially at the global enterprise level, is that these teams are kind of working in their own lanes,” he said. “And when there’s a breach, they all have to work together on the same workflows, the same plans, the same communication. That’s where we see a lot of the breakdown.” When legal, comms and security converge for the first time during a breach, friction is inevitable.

Both Brown and Ferenczi agree that AI is uniquely suited to bridge those divides. Ferenczi explained, “AI is actually great at connecting the dots, helping build a common narrative that gives teams confidence in what they’re seeing.” Brown added that AI can also serve as a translation layer: “You’ve got legal teams, marketing teams, IT and engineers all working together. If I asked AI to give me a simplified legal highlight of what’s been going on, it could give someone something very useful that reduces delay.”

The report data backs them up. Eighty-six percent of leaders said “translation time” between technical, legal and communications teams causes costly delays. Ninety-three percent believe AI assistance could have prevented at least one major misstep in their last incident.

The CISO’s Expanding Role

The CISO role is shifting in this environment. Containment is still core, but executive communication now ranks at the top of what CISOs are expected to deliver.

They are being judged as much on their ability to turn volatile, partial data into clear business context as they are on technical triage. As Brown put it, the CISO who builds trust with the CEO and board in peacetime becomes “one of the most important people in the room” when a crisis hits.

Lessons for Leaders

The research highlights three urgent priorities:

Rehearse like you mean it. Awareness is not readiness. Run cross-functional simulations that include legal, comms, finance and IT—not just security. Make them realistic. Measure time to decision, not just time to detect.

Codify decision rights. Write down who decides what. Pre-approve thresholds for isolating assets, notifying regulators, or switching comms modes. Test those thresholds live.

Use AI to reduce friction. AI can unify fragmented tools, correlate signals and generate role-specific updates in real time. This doesn’t replace human judgment—it reduces the drag around it.

From Improvisation to Orchestration

The report underscores what many CISOs already know: organizations aren’t losing the race against attackers because they lack tools. They’re losing because their own processes are too slow. Technology has a role to play, but the real differentiator is how well it is integrated into practiced, cross-functional workflows. Clear authority, disciplined rehearsal and faster coordination matter more than any single product.

The conclusion is not that AI or automation will magically fix incident response, but that organizations must rethink how they prepare. Structured playbooks, realistic simulations and stronger collaboration between technical, legal and executive teams are what turn potential chaos into coordinated execution. In the end, resilience depends less on adding more technology and more on building a culture and process that can hold under pressure.

Editorial StandardsReprints & Permissions