Incident response is now a central part of how teams manage cybersecurity. From the first signs of trouble to full data recovery, every step calls for focus, coordination, and speed. Some approaches help teams stay on track and act quickly, while others can cause delays or miss key actions.
To find out what 506,287 technology leaders in the US’ opinions were about incident response, we utilized AI-driven audience profiling to synthesize insights from online discussions over a year, ending July 14, 2025, to a high statistical confidence level. Their insights reveal which steps carry the most weight in a crisis and where even experienced teams tend to slip.
What Is Your Biggest Challenge In Responding To Cybersecurity Incidents?
29% of US technology leaders say that unclear response plans are a major obstacle when responding to cybersecurity incidents
There’s still work to be done in preparing teams for high-stakes incidents:
Organizations face a range of challenges when responding to cybersecurity incidents, but the biggest is unclear response plans. These are seen as a major obstacle by 29% of technology leaders in our audience, and a significant issue by 14%. This lines up with an unsettling finding from S&P Global, which reports that one in five companies does not have a plan or procedure in place at all.
Inadequate communication also causes friction, viewed as a significant issue by 17% of technology leaders and a major obstacle by 6%. Lack of internal resources is marked as a significant issue by 15%, a major obstacle by 2%, and a minor concern by 1%. Outdated tools are seen as a major obstacle by 3%, a significant issue by 3%, a minor concern by 1%, and not a problem by 2%. Delayed detection rounds out the picture, listed as a major obstacle by 4% and a significant issue by another 4%.
Overall, these challenges highlight the urgent need for organizations to prioritize clear, well-communicated, and well-resourced cybersecurity response plans to effectively manage and mitigate incidents.
Which Role Is Most Critical During A Cybersecurity Incident?
53% of technology leaders agree that CISO or IT security leads play a very important role during a cybersecurity incident
It’s clear who teams tend to look to in the heat of an incident:
When an incident occurs, certain roles take on critical importance, and none more so than the CISO or IT security lead. While only 2% of technology leaders say this role is absolutely essential, a much larger 53% say it’s very important, and another 6% rate it as somewhat important.
Given that 76% of CISOs have worked in three to ten cybersecurity roles, it makes sense that so many view them as key figures during an incident. Their depth of experience likely shapes strategic decision-making and team confidence under pressure.
The incident response team also plays a central role, viewed as very important by 33% and somewhat important by 2%. In contrast, communications and PR are rated as very important by just 2%, and compliance and legal are seen as somewhat important by 1%, which is surprising when you consider how much reputational damage can occur from a breach. However, it’s understandable that the focus lies on those who can quickly step in and take action to restore systems or limit the impact.
What Best Describes Your Current Cybersecurity Incident Preparedness Level?
39% of technology leaders say they are unprepared for a cybersecurity incident and respond reactively
Most teams are still figuring out how to get ahead of the next threat:
Cybersecurity preparedness levels still have a long way to go, which is understandable given that 35% of small organizations now consider their cyber resilience inadequate, a figure the World Economic Forum reports has increased sevenfold since 2022. A full 39% of technology leaders in our audience report being unprepared and responding reactively, while another 15% respond reactively but acknowledge that their preparedness needs improvement.
Some are currently developing a strategy, with 6% describing themselves as fully prepared, 17% saying they are somewhat prepared, and 13% saying their preparedness still needs work. Just 4% say they are fully prepared with a fully documented and tested plan, while 2% are somewhat prepared with such a plan. A further 3% say their preparedness needs improvement by relying on third-party responders, while only 1% say they are fully prepared with a documented but untested plan.
This reveals that most organizations remain underprepared for cybersecurity threats, with the vast majority still responding reactively and only a small fraction having a fully documented and tested response plan in place.
What Is The Top Priority Immediately Following A Cybersecurity Incident?
For 30% of technology leaders, communication to stakeholders is an absolutely essential priority after a cybersecurity incident
The opinions of technology leaders range on where to focus first in the aftermath of an incident:
Legal and compliance reporting ranks high on the priority list immediately following an incident, with 28% of technology leaders in our audience seeing it as absolutely essential and another 4% as important. That urgency is grounded in reality.
According to the Federal Trade Commission, every US state now requires businesses to notify individuals when personal information is exposed in a breach, and additional legal requirements may apply depending on the data involved.
Communication to stakeholders edges slightly higher, with 30% calling it absolutely essential. Restoration of systems follows, marked as absolutely essential by 15%. Threat containment is viewed as important by 6% and less critical by 7%, while investigation and root cause analysis are rated absolutely essential by 6% and important by 3%.
This reveals that in the aftermath of a cybersecurity incident, legal compliance and stakeholder communication are top priorities for technology leaders, driven by strict regulatory requirements and the need to maintain trust.
How Often Do You Test Your Cybersecurity Incident Response Procedures?
Only 16% of technology leaders run monthly drills to test cybersecurity incident response procedures
Regular planned drills and reviews are the exception, not the norm:
Testing response procedures should be a regular part of cybersecurity planning, but for many teams, it still isn’t.
Federal standards call for continuity testing at least annually, and alert and communications testing every quarter. While aimed at government agencies, that kind of structured schedule offers a useful benchmark, especially given that 47% of technology leaders in our audience say they never conduct post‑incident reviews.
Another 8% say they rarely conduct reviews, while only 18% say they always do. Monthly drills are always run by just 16%, and quarterly simulations and annual tabletop exercises are each always performed by only 2%. Interestingly, 6% say their procedures are never tested at all, pointing to a complete lack of preparedness for a very real threat.
Andrew Evers, CTO of Infrascale, noted that even the best response plans can falter without practice. “Preparedness is not built in the moment. It is earned through repetition, review, and refinement. Treat every exercise as a chance to turn uncertainty into muscle memory.”
What Tool Has Been Most Useful In Minimizing Downtime After A Cybersecurity Incident?
47% of technology leaders say that a threat intelligence platform is very useful for minimizing post-cybersecurity incident downtime
Technology leaders are leaning on one tool in particular to bounce back faster:
When it comes to tools for minimizing downtime, threat intelligence platforms dominate. A full 19% of our audience sees these platforms as indispensable, 47% call them very useful, 18% rate them as somewhat useful, and just 4% find them not useful.
It’s easy to see why. Beyond simply collecting data, a strong threat intelligence platform connects the dots across multiple sources, automates threat analysis, and offers clear, actionable insights. That kind of visibility helps teams respond faster and focus on the threats that matter most.
Other tools are used more selectively. Cloud backup and disaster recovery is viewed as indispensable by 6%, very useful by 2%, and somewhat useful by 1%. Endpoint detection and response is rated very useful by 2%, while security information and event management earns 1%.
This suggests that threat intelligence platforms are widely valued as the most effective tool for minimizing downtime, far surpassing other solutions due to their ability to provide fast, actionable insights and enhance response efficiency.
Which Team Typically Takes The Lead In Initial Triage After A Cybersecurity Incident?
49% of technology leaders say that managed service providers take the lead in triaging after a cybersecurity incident
The early response handoff usually falls to one key player:
Initial triage is a crucial first step in any incident response, and the team leading that effort can influence everything that follows. For many organizations, that team is a managed service provider, with 49% of technology leaders saying that MSPs often take the lead. Another 11% say this happens rarely, and just 2% say it never does. That makes sense, considering that 44.9% of MSPs now prioritize disaster recovery in their core services, which is a strong indicator of their readiness to step in quickly.
Security operations teams are next, with 17% saying they often lead the triage phase. IT infrastructure teams follow at 9%, and cloud services at 8%, with 4% saying cloud teams rarely take the lead. No opinions were recorded regarding help desks, so they’re clearly not relied upon during this stage.
What Communication Method Works Best During A Cybersecurity Breach?
18% of technology leaders say encrypted messaging platforms are the better option for communicating during a cybersecurity breach
There’s uncertainty around which tools actually work best in a crisis:
During a cybersecurity breach, the way teams communicate can shape the outcome. Encrypted messaging platforms emerge as the top choice, with 5% of technology leaders rating them as the best option and 13% considering them a good choice, although 24% still feel they’re not the best fit. That range of views makes sense, especially since experts note that while these apps are generally secure, the real risks often lie with the user’s device or network.
Video conferencing gets a good option rating from 9%, but a whopping 44% say it’s not the best, and 4% call it a poor choice, likely due to its vulnerability. For the same reason, emergency email alerts barely register, with just 1% saying they’re not the best.
What's Your Greatest Concern During A Ransomware Attack?
46% of technology leaders are most concerned about data loss during ransomware attacks
Ransomware attacks create sleepless nights for many technology leaders, but not always for the same reasons:
Data loss stands out as the biggest worry when ransomware strikes. A full 7% of technology leaders say it’s definitely their greatest concern, and another 39% call it a significant concern. Only 2% view it as a minor worry, and it’s not a concern for 1%. That focus on data is well-founded. In Q3 of 2024 alone, over 422 million data records were leaked in data breaches. It’s a staggering reminder of what’s at stake when systems are compromised.
Other concerns follow at a distance. Reputational harm is definitely the greatest concern for 3%, and a significant issue by 21%, while 10% say it’s a minor worry. Operational confusion is flagged as a significant concern by 14% and both a top concern and minor worry for just 1%, with downtime impact ranking lower still, cited only as a minor worry or significant concern by 1% each.
How Do You Keep Your Team Aligned During Cybersecurity Crises?
Real-time collaboration tools are essential for keeping 37% of technology leaders’ teams aligned during cybersecurity crises
In the heat of an incident, two approaches keep most teams in sync:
Keeping a team aligned during a crisis takes more than good intentions. For many, cross-department training is the glue that keeps them together. 28% of technology leaders call them essential, and another 24% view them as a helpful approach, suggesting that clarity on roles and responsibilities is just as important as speed. Real-time collaboration tools also play a strong role, seen as essential by 37% and helpful by 6%. These platforms help streamline decision-making when every second matters.
Escalation matrices and leadership briefings see far less traction, with only 2% and 1% respectively rating them as essential, and just 1% seeing leadership briefings as a helpful approach. That limited uptake points to a broader preference for hands-on coordination over top-down directives.
How Do You Ensure Your Cybersecurity Response Aligns With Compliance Standards?
60% of technology leaders rely on industry frameworks to align their cybersecurity response with compliance standards
Staying compliant during a crisis isn’t something that can be left to chance:
Making sure your response lines up with compliance standards usually starts with a solid framework. The NIST Cybersecurity Framework 2.0 offers just that. It helps organizations stay on track by linking their security efforts to clear, outcome-based goals and connects them to practical tools without being overly prescriptive.
That kind of flexibility is likely why 60% of technology leaders see frameworks like NIST and ISO as absolutely essential. Regular audits also play a key role in staying compliant as things change, with 40% calling them absolutely essential, too. This split highlights the dual importance of having a guiding framework and continuously validating its effectiveness in a shifting threat landscape.
What Cybersecurity Metric Best Reflects Success?
52% of technology leaders agree that user impact is a definitive metric of cybersecurity success
A single metric leads the way, though not everyone agrees on how much it counts:
Healthcare and life sciences organizations dominate the ransomware recovery service market. This category perfectly describes 27% of organizations, and 48% are suitably described. Considering the 278% increase in healthcare ransomware attacks between 2018 and
The metric that best reflects cybersecurity success is clearly user impact. 52% of technology leaders in our audience see it as the definitive success indicator, while 21% call it a strong one. 14% view it as a moderate signal, and 13% say it isn’t a success indicator at all.
That emphasis on user experience aligns closely with expert thinking in a Forbes Technology Council article on metrics that show the value of cybersecurity initiatives. Leaders highlight the value of tracking business impact and communicating the “why” behind cybersecurity efforts in relatable terms. Both of these approaches put people at the center and reinforce that strong cybersecurity isn’t just about avoiding breaches, but about protecting how teams work every day.
What Role Do Backups Play In Your Cybersecurity Recovery Strategy?
59% of technology leaders agree that their backup and recovery strategies need improvement
Backup may be a pillar of recovery, but the way it’s handled varies widely:
Backups are a core part of any cybersecurity recovery strategy, especially given what’s at stake. A study by IBM and the Ponemon Institute puts the global average cost of a data breach at $4.35 million, or about $164 per compromised record. With that level of risk, strong backups, especially ones tested in real-world conditions, can make all the difference when it counts.
Only 6% of technology leaders in our audience say their backups are regularly tested and validated, while 59% admit their approach still needs improvement. For 20%, backup is viewed as a last resort. Another 8% see it as either a complement to real-time protection or a primary fallback.
This spread suggests that while backup is widely recognized as important, it’s often treated reactively, not strategically, leaving many recovery plans weaker than they should be.
Rob Peterson, CEO of Infrascale, emphasized the strategic role recovery plays in resilience. “Chosen vendors and solutions must strategically advance your policies and procedure, ensuring recovery and resumption of operations in a timely manner in the face of pressure.”
What Post-Cybersecurity Incident Action Is Most Often Overlooked?
47% of technology leaders agree that after a cybersecurity incident, lessons learned workshops are sometimes missed
When the dust settles after a cybersecurity incident, what happens next can shape how teams respond in the future:
Some of the most important actions in incident response are also the ones most likely to be overlooked. Lessons learned workshops stand out, with 47% of technology leaders saying they’re sometimes missed, and another 8% calling them beneficial but still sometimes overlooked. Documentation of the response also reveals gaps, with 28% stating it’s sometimes missed and 2% noting that it’s often beneficial but overlooked.
Staff debriefings draw a more mixed response. While only 1% say they’re sometimes missed, 6% say they’re often beneficial but overlooked, 2% view them as absolutely crucial and often overlooked, and another 2% say they’re rarely considered overlooked. System patching also slips through the cracks at times, with 4% saying it’s sometimes missed and 2% seeing it as often beneficial but sometimes overlooked.
A recent systematic review on learning from cybersecurity incidents backs this up, noting that many organizations fail to formalize what they’ve learned after a breach. Without that follow-through, the same mistakes can recur, weakening even the most carefully designed response plans.
Effective incident response is about being ready before, during, and after a breach, rather than something that kicks in only when things go wrong. The opinions of over 500,000 technology leaders show that while plenty of progress has been made, small changes in process and mindset can make a big difference.
With focus and follow-through, every incident becomes a chance to sharpen the approach and bounce back even stronger.
Methodology
Sourced using Artios from an independent sample of 506,287 United States technology leaders’ opinions across X, Reddit, TikTok, LinkedIn, Threads, and BlueSky. Responses are collected within a 95% confidence interval and 5% margin of error. Results are derived from opinions expressed online, not actual questions answered by people in the sample.
About the representative sample:
- 44% of technology leaders are between the ages of 45 and 64.
- 57% identify as male and 43% as female.
- 49% earn between $200,000 and $500,000 annually.
- 44% are based in the Pacific US.
