The Threshold Moves With Practice
Effective IR comms is built through consistent low-level stress exposure before crises arrive. The same neurological principle that makes experienced cave divers capable under pressure applies directly to security teams. Use small incidents to move the threshold.
Years ago, my therapist recommended I read John Ratey's book Spark because it explains the impact of consistent physical challenge on the brain and at a time when I was far more invested in my mental health than my fitness, that framing was the thing that finally made exercise feel worth doing.
Ratey explains how low-level stress, applied consistently, raises the threshold at which your body mounts a full stress response. The field of science is called neurophysiology and includes the biology and chemistry behind how neurons fire, how the brain processes signals, and how those processes produce behavior, thought, and physical response. Ratey draws on this to explain how exercise changes brain chemistry, not just body composition. In a nutshell, he points out how regular moderate stress makes our neurons more resilient to acute stress, shifting the trigger point. What used to put you in fight-or-flight-or-freeze can eventually become manageable background noise.
Ratey's focus is the relationship between exercise and the brain (my therapist knew she could strengthen my commitment to exercise if I understood it was an investment in caring for my brain), but the core principle extends even further and it’s something I think about often in my professional and personal life.
I've been a scuba diver for years. When I started, the cognitive load of every dive was enormous — buoyancy, air consumption, depth, buddy checks, current, time, navigation, etc. Each variable demanded active attention and panic was one equipment malfunction away from becoming a real threat.
That's not the case anymore.
Consistent training didn't merely teach me what to do when something goes wrong underwater, it also moved those responses lower in my brain. The tasks that used to require deliberate thought, like clearing a flooded mask, responding to a free-flowing regulator, managing a controlled ascent when something goes sideways, now happen with less cognitive overhead. Essentially, my nervous system has been recalibrated and the threshold for what registers as a genuine emergency is higher because I've trained at the uncomfortable edge repeatedly enough that the edge itself moved.
This is not the same thing as knowing the right procedure intellectually. You can memorize every dive table and emergency protocol and still freeze the first time visibility drops to zero and you can't tell which direction is up. Knowledge lives in your prefrontal cortex, but our trained responses live somewhere older and faster — and the goal of repetition is to move our knowledge to that same place.
Cavern diving added another layer to this for me. Stratis Kas, author of Close Calls, (an anthology of technical diving incidents) describes what it feels like to become disoriented in a cave, writing that unlike a car accident, where fear arrives and passes in seconds, getting lost in a cave means sustained, prolonged uncertainty. You process the fear, and then you reprocess it, over and over, while still needing to function. That specific experience of managing yourself across an extended incident rather than a single acute moment profoundly changes something in a diver. I've had moments in cavern dives where I had to stay methodical through conditions that had no quick resolution. It’s a different kind of training than drilling a single emergency response because what I'm really practicing is not coming apart over an extended period of time while scared and under pressure.
I’ve observed the same logic in effective incident response. Most security teams practice incidents the way I used to do dive checklists as a newly-certified diver: reviewing the steps, confirming they know the procedure, and filing out reports. That's not nothing, but it's also not the same as training the nervous system. And it especially doesn't prepare you for the reality Kas describes and that many of us have learned throughout our careers in security — that serious incidents aren't over quickly. In fact, they can play out over weeks, months, and sometimes years. This kind of stress isn't a spike. It’s a sustained condition in which we have to operate, regulating our emotions and maintaining discipline in our strategy.
With consistent, regular practice, you can recalibrate the stress threshold so that you enter your next prolonged event from a different starting point. The cave is still the cave, but you're not burning through your cognitive reserves in the first hour just managing the fact that it's happening. Low-level, repeated stress exposure builds a nervous system that doesn't treat the hard thing as a complete surprise.
The Discernible Experience is built on exactly that premise. Weekly, hour-long sessions with a small group of security peers gives our subscribers the low-level stress exposure that shifts the threshold. When you're in a room where an incident scenario is unfolding in real time and you have to communicate decisions to a skeptical stakeholder (let’s be honest, it’s usually a lawyer), draft a customer notification under pressure, or coordinate messaging across sales, social media, and regulators simultaneously — that's the stimulus. But it’s no longer a catastrophic crisis stimulus. Instead, it’s a manageable, repeatable, uncomfortable-enough-to-matter stimulus.
Do that enough times and your stress threshold for the real thing moves and the cognitive load drops. The tasks that used to consume enormous mental bandwidth, e.g. what do we say, to whom, in what order, with what level of detail, etc., start to run on a lower channel, leaving you with more capacity for high-judgement decision-making because the basic mechanics are no longer eating up your working memory.
I also want to note an important reframe that would help a lot of organizations right now – the goal isn't just to survive the big incidents, but to use the smaller ones to our advantage. Every minor security event your organization responds to is a training stimulus, if you treat it that way. The team that debrefs a low-severity phishing response with the same rigor as a disruptive ransomware event is building the same kind of recalibration I got from cavern diving because we grow more not from the catastrophic moment, but from the accumulated reps at the uncomfortable edge. Ultimately, the big incidents become less consequential because the small ones already moved the threshold.
There's something else worth explicitly naming here because it's where most security communication programs stop too short.
Ratey’s principle applies not just to incident response, but to proactive security communication in general. Security leaders who communicate regularly with their boards, peers, and cross functional teams (and not only during crises) are doing the equivalent of consistent low-level training for these relationships. They're building a nervous system, organizationally speaking, that doesn't spike when a hard conversation needs to happen, meaning the company’s relationship with customers or regulators isn't a crisis communication relationship and your relationship with the CEO doesn't depend on a breach to activate it.
Voluntary, routine security communication is how you raise the organizational stress threshold before you need it. By the time a serious incident hits, the channels exist, the trust is established, and the cognitive load of "how do I explain this to people who don't share my mental model" is lower because you've done the reps.
That's the architecture of truly effective security communication programs. It’s not about a communication plan that only activates during incidents. It’s a communication practice that makes incidents less catastrophic when they arrive.
Ratey's point, at its core, is that the brain is trainable in ways we tend to underestimate and challenge, applied consistently and at the right level, makes us more capable, not just more knowledgeable. That's as true underwater and in a cave as it is in the quarterly board meeting where a CISO explains risk tolerance to people whose job is not to know how CVEs are issued.
The whole reason for building the practice before you need it is that practice moves the threshold.
The Discernible Experience is a weekly, one-hour session for security professionals who want to build that practice. Small groups, real scenarios, and low-level stress applied consistently. If you're ready to start moving your threshold, you can subscribe at discernibleinc.com/experience.