With 68% of organizations experiencing a significant data breach in the past year, CISOs are preparing strategies that evolve beyond simple preventative measures alone. Developing dynamic and proactive incident response strategies is essential as the likelihood and scale of breaches increase in a complex and expanding digital and regulatory environment.
Today an organization’s incident response capability directly impacts its reputation, financial health, and regulatory standing. In our recent webinar led by CEO and co-founder Andy Lunsford, we brought together industry veterans Renee Guttmann (former CISO at Campbell Soup, Royal Caribbean, Coca-Cola, and Time Warner) and Joe Sullivan (former CSO at Uber, Facebook, and Cloudflare) to share their battle-tested insights on incident response communication and reporting.
“I’m pretty sure that the way we’ve always done things isn’t the way we should be doing things now.”
–Renee Guttmann, Founder at Cisohive and Former CISO at Campbell Soup Co., Royal Caribbean, Coca-Cola, and Time Warner
The Communication Challenge in the Heat of Battle
One of the most striking takeaways from this discussion was the critical importance of communication during an incident. As Joe Sullivan pointed out, “If you step back and look at how companies are judged on security incidents, they’re actually judged more on how they communicated than what they actually did.” This perspective highlights a fundamental truth: technical proficiency alone isn’t enough—how you convey your actions to stakeholders matters just as much or perhaps more.
Renee Guttmann emphasized establishing roles and responsibility “guardrails” early, including clear delineation of who can declare an incident and who is delegated to specific parts of the response. “The CISO feels like all of this stuff is their job,” she noted, “but parceling out roles and responsibilities is not necessarily a sign of weakness.” This distribution of responsibilities keeps team members fresh and ensures that communication remains clear despite the chaos.
“If you step back and look at how companies are judged on security incidents, they’re actually judged more on how they communicated than what they actually did.”
–Joe Sullivan, Former CSO at Uber, Facebook, and Cloudflare
Prepare and Exercise: Knowledge is Half the Battle
Both speakers highlighted how companies typically invest heavily in prevention while underinvesting in response capabilities. This misalignment between investment and impact represents a significant gap in many security programs.
Andy Lunsford emphasized the importance of realistic exercises that go beyond theoretical discussions: “When you run an exercise, it’s not just the one day or one session tabletop. Run a simulation across multiple days where people are still doing their full-time jobs… because that’s more realistic to a real incident.”
The theme of tabletops and how and when to run them ran throughout the webinar. If you are interested in digging deeper into that topic, we recommend watching Beyond Tabletops because you can learn how to streamline cross-functional collaboration to better prepare and build a proactive incident response program. This webinar provides actionable recommendations for evolving your training from an annual tabletop to more comprehensive simulations and exercises, ensuring your team is thoroughly prepared for real-world incidents.
Documentation: Your Future Defense Depends on It
Perhaps most compelling, at a personal level, was the discussion about documentation during incidents that, if done well, can then be used as a defense against future litigation. While traditional legal advice often discourages detailed documentation to limit potential liability, both speakers advocated for thorough, factual documentation during incident response given their personal and public experiences.
“The more you document the processes upfront, the more you document that you followed the process in the moment; the more you document the details and facts that were present when you made decisions, the better,” Sullivan advised, noting that depositions often happen years after incidents when memories have faded.
“The absence of evidence allows them to twist the worst possible intent about not writing something down.”
– Andy Lunsford, CEO & Co-Founder at BreachRx
Lunsford acknowledged a shift in both regulatory expectations and legal defense strategies: “The absence of evidence allows [adversarial counsel] to twist the worst possible intent about not writing something down.” He noted how BreachRx was specifically designed to address this challenge by creating a “flight data” recording of an incident for all people involved, so that it’s very easy to show you took the right actions at the right time.
Response and Recovery: In The Eye of the Storm
The conversation emphasized several practical yet critical approaches for security leaders to keep in mind when responding and recovering from an incident response:
- Cross-functional coordination: The security leader serves as the “conductor of an orchestra,” ensuring all teams work together effectively.
- Human factors matter: From ordering lunch to ensuring team members get sleep, managing the human aspects of incident response is essential.
- Consistent response matters: Regulators and courts look not just at how you handled major incidents but your pattern of practice across all incidents.
- Distribute responsibility: Ensuring company leadership shares the weight of incident response decisions protects both the organization and the security leader.
Why You Should Watch This Webinar
If you’re responsible for any aspect of cybersecurity, incident response, or organizational risk, this webinar offers rare insights from security leaders who have navigated some of the most challenging incidents in corporate history. Their candid reflections on what works, what doesn’t, and how to protect yourself, your team, and your organization provide actionable guidance you can implement immediately.
In a world where security incidents are inevitable, how well you respond may ultimately matter more than how well you prevent. This webinar offers a masterclass in doing exactly that.
Watch the full webinar to get all the insights from these security veterans and learn how BreachRx can help transform your incident response capabilities.