Another 49 percent say response times would have improved if leadership had acted more decisively in the moment.1 Both statistics point to the same gap: most organizations have an IT response plan and no leadership response plan. When an incident hits, the people at the top are improvising.
That improvisation is expensive — not because leadership is incompetent, but because no one ever gave them a documented plan for what to do in the first 60 minutes. This article does that.
A quick note on why the first hour matters more than the first 24: in real cyber operations, the decisions made in the initial window determine whether an incident gets contained or becomes a crisis. Every minute of delay after detection is an opportunity for an attacker to move further into your environment. The first hour is where leadership either controls the situation or loses it.
Action 1: Confirm and Contain (Minutes 0–10)
The first instinct when you hear "we may have an incident" is to wait for more information before acting. Resist that instinct. You will never have complete information in the first ten minutes. What you will have is a window to contain the damage before it spreads.
Your role in this moment is not to understand everything. It is to authorize containment immediately and get the right people moving. Containment might mean isolating a specific system, disabling a user account, or cutting off an external connection. Your technical team knows what to do. What they need from you is the authority to do it without waiting for a full briefing first. Give it to them.
The worst outcome in the first ten minutes is not overreacting to a false alarm. It is waiting for certainty while an attacker moves through your environment unchallenged.
Action 2: Activate Your Response Chain (Minutes 10–20)
Who gets called, in what order, and what do they do? This is the decision tree most organizations have never written down.
Not everyone. A focused group: the incident commander, your legal counsel, and your most senior technical resource. Broad internal notification comes later, after you have a handle on scope.
In most cases, yes. Engaging legal counsel early establishes attorney-client privilege over communications related to the incident. Anything communicated before privilege is established may be discoverable in litigation or regulatory proceedings.
If your organization does not have dedicated cybersecurity staff, the answer is almost certainly yes. Having a pre-identified IR firm — one whose contract is already signed and whose number is already in your playbook — is the difference between a 20-minute call and a 3-hour vendor selection process while an incident is active.
Action 3: Establish a Command Structure (Minutes 20–30)
In military cyber operations, command and control is established at the moment an incident is declared. There is no ambiguity about who is in charge, who is authorized to make decisions, and who communicates what to whom. In the first 30 minutes, establish three things:
One person has decision authority. Everyone else supports them. This does not have to be the most technical person in the room. It needs to be the person with the authority and judgment to make fast decisions under incomplete information.
If your email or internal messaging systems may be compromised, do not use them to coordinate the response. A phone bridge, a personal device group chat, or an out-of-band tool keeps your response coordination off potentially compromised infrastructure.
Limit knowledge of the incident to the people who need it to do their job. Premature broad disclosure creates noise, panic, and potential evidence contamination before you understand what you are dealing with.
Action 4: Control the Communications (Minutes 30–45)
The first hour of a cyber incident is almost never the right time for external communication. It is, however, exactly the right time to decide who has authority to communicate and who does not.
All external inquiries — from clients, vendors, partners, press, and anyone else — are directed to a single spokesperson. Everyone else says only this: "We are aware of a situation and our team is assessing it. We will be in touch as soon as we have information to share."
Depending on your industry, your contracts, and your jurisdiction, you may have legal obligations to notify certain parties within a specific timeframe. Your legal counsel helps you understand these obligations now so you are not scrambling to meet a regulatory deadline while still managing the incident.
Action 5: Document Everything From Minute One (Minutes 45–60)
Every decision. Every action. Every communication. Every system affected. Every person involved. All of it logged with a timestamp from the moment the incident is declared. This documentation serves three purposes simultaneously: legal protection if the incident results in litigation, the foundation of your insurance claim if you have cyber coverage, and the source material for the post-incident report that tells you exactly what happened.
Designate someone whose specific job during the incident is documentation. Not response. Not communication. Documentation. They follow the incident commander, log every decision and action, and produce a running record the entire response team can reference.
The Underlying Point
None of the five actions above require technical expertise. Authorize containment. Make the calls. Establish command. Control communications. Document everything. These are leadership decisions that require a leadership plan — and the time to build that plan is before an incident, not during one.
The organizations that handle cyber incidents well are almost never the ones with the most sophisticated technical defenses. They are the ones whose leadership team knew exactly what to do when the call came in.