Organizations Lack Sufficient Decision Frameworks to Expand Incident Response Options
The security leaders with the most options during an incident built them long before it happened using consistent, values-based decision frameworks as relationship tools. Communication strategy shapes how your organization decides, not just how it explains.
After five years of Discernible, this is my #1 concern.
As we mark Discernible’s fifth anniversary, I find myself reflecting on the most profound insight from our journey:
Your choices today directly determine what options will be available to you during a security incident tomorrow.
The Decision Trail That Leads to Crisis (or Success)
When an organization faces a security incident, what appears as a sudden situation is usually the culmination of hundreds of previous decisions. The disturbing pattern I've witnessed over these five years is how few organizations recognize this connection until it's too late.
The reality is stark. The series of decisions and context leading into an incident — the entire "how did we get here?" story — directly impacts and often severely limits the choices available for managing our response. When you've consistently made expedient rather than secure decisions, failed to document critical systems, or neglected communication channels with stakeholders, those past decisions drastically narrow your response options.
Most concerning is how many organizations expect they will somehow make better decisions under the intense scrutiny of an incident, even when they struggle with cross-functional relationships during normal operations. Neither research nor experience supports this expectation.
The Communication Gap: Why Security Teams Struggle to Influence Outcomes
This disconnect stems from a critical communication failure — security and privacy teams often possess the technical knowledge to identify risks and recommend appropriate controls. Still, many lack the persuasive communication skills needed to influence organizational decision-making.
This is precisely why our business focuses so intensely on helping security and privacy professionals become more effective communicators and insider influencers. The most technically sound recommendation means nothing if it fails to persuade decision-makers to act.
The security teams that successfully shape organizational decisions — and by extension, create more favorable options during incidents — invest in strategic relationship building and accumulating political capital on an ongoing basis. They don't just deliver technical assessments; they cultivate trust across departments, build alliances with business leaders, establish credibility through consistent follow-through, and carefully choose which battles to fight. When incidents occur, these relationship investments become invaluable currency.
Senior Leaders: The Critical Link to Executive Decision-Making
This communication challenge escalates for senior security and privacy leaders when engaging with the C-suite and board. These interactions determine whether security considerations integrate into the organization's highest-level decisions or remain perpetually siloed.
The most effective security leaders we've worked with excel at three specific communication practices:
- Translating technical risk into a business context that connects directly to metrics and objectives executives already care about.
- Providing decision frameworks rather than binary choices, helping executives understand the full spectrum of options and associated tradeoffs.
- Building narrative continuity by consistently connecting current recommendations to past decisions and future scenarios, creating a coherent story arc that executives can follow over time.
These practices help establish security as a business enabler rather than a cost center or obstacle, fundamentally changing how executives factor current and future security into their decisions.
Frequent Practice Builds Muscle Memory
Our core belief continues to be that effective security communications must be proactive, not reactive. More than a philosophy, we’ve observed this practical reality across numerous organizations. Those who wait until an incident to develop their communication strategy invariably struggle, while those who proactively build communication capabilities navigate incidents with significantly more success.
This experience drives our subscription service Discernible Experience, built around the understanding that frequent practice makes security communications work best, rather than only being activated during a crisis. Through frequent exposure to different types of incident communication tasks – from technical team briefings to customer education campaigns – security professionals develop the communication muscle memory needed to perform under pressure.
I often tell clients that incident communications is not like a caterpillar waiting to emerge dramatically like a butterfly when trouble strikes. It's more like a dung beetle that constantly rolls, tunnels, and lives in dung to provide plant roots with nutrients and help spread seeds by burying them deep in the soil, protecting them from animals and increasing their chances of germination. Not the most glamorous metaphor, but profoundly accurate. The daily, unglamorous work of building communication muscle memory creates resilience when incidents occur.
Values-Based Communication is a Strategic Advantage
As we look to the next five years, our commitment is to helping organizations recognize that consistent, values-based communication about security is not just a risk management tactic – it's a strategic advantage.
When security teams can effectively communicate and influence decisions before incidents occur, they create an environment where:
- Security considerations become naturally integrated into business decisions.
- Technical debt is recognized as a future limitation on incident response.
- Investments in security capabilities are understood as investments in business resilience.
- Response options during incidents are expanded rather than constrained.
The organizations that weather security incidents most successfully are those whose response feels authentic because it's built on consistent, values-based decision-making before, during, and after incidents occur. They don’t demonstrate a stark pivot to a crisis persona. Instead, we see a continuation of the same principled approach to how they always make decisions, operating under more challenging circumstances.
Organizations that upgrade incident response communications into proactive programs can help avoid incidents or significantly improve their impact on customer trust and brand reputation.
A Final Thought
Some security incidents are truly unavoidable, but many are not. Our experience has shown that the creation, scope, and impact of nearly every incident are directly shaped by the quality of decisions and communications that preceded it.
Define now how you want to be perceived when something goes wrong, including the values, ethics, and characterizations you want associated with your brand. Then, deliberately build those things into how you communicate about security and the decisions you make every day.
This is the wisdom I wish every company understood before they face their first significant security incident: Your response capabilities are being built or diminished with every security conversation you have today.
---
As we celebrate this milestone, I'm grateful for the trust our clients have placed in us and for the lessons they've helped us learn. Here's to building organizations where security communication excellence is a daily practice!