Cybervize – Cybersecurity Beratung
All articles

Incident Response: Who Decides in an Emergency?

Alexander Busse·February 3, 2026
Incident Response: Who Decides in an Emergency?

Incident Response in SMEs: The Underestimated Leadership Challenge

A cyberattack is detected. Systems are compromised. Every minute counts. But instead of swift action, uncertainty prevails: Who is actually authorized to make decisions now? Who has the authority to shut down systems? Who informs management, customers, or authorities?

This situation is more common than you might think in German mid-sized companies. While millions are invested in IT security technology, one critical question remains unanswered: Who bears responsibility for which decisions in an emergency?

Why Technical Solutions Alone Are Not Enough

Many companies rely on modern firewalls, endpoint detection systems, and SIEM solutions. The technical infrastructure is often impressive. However, when an emergency occurs, a critical vulnerability is revealed: missing governance structures.

The problem doesn't lie with the IT department. It lies in leadership understanding. A security incident is not purely a technical event, but a business-critical crisis situation that requires fast, coordinated decisions at various levels.

The Five Critical Decision Points

During any security incident, certain core questions must be answerable immediately:

1. System Shutdown and Isolation

Who has the authority to shut down production systems? This decision can mean production outages, but it can also prevent ransomware from spreading. Responsibility must be clearly defined, ideally with escalation levels depending on the criticality of affected systems.

2. External Communication

Customers, business partners, authorities, and possibly the public must be informed. Under GDPR, there's even a mandatory reporting requirement within 72 hours for data breaches. Who is allowed to communicate what? Who speaks to the press? These questions must be clarified in advance, not in crisis mode.

3. Engaging External Expertise

Forensic teams, specialized incident response providers, or crisis communication experts may be necessary. But who is authorized to engage them? Up to what budget? Who selects the service provider? These decisions require fast tracks without lengthy approval processes.

4. Insurance and Legal Actions

Cyber insurance must be notified immediately, often with strict reporting deadlines. At the same time, legal action may be necessary. Who coordinates these measures? Who is the contact person for insurers and lawyers?

5. Business Continuity and Recovery

Which systems have priority in recovery? Which business processes must be functional first? These decisions require both technical and business understanding.

The Playbook: Your Emergency Plan for Critical Situations

An Incident Response Playbook is more than a technical guide. It's a management tool that defines clear responsibilities, decision-making pathways, and action instructions.

What Belongs in an Effective Playbook?

Clear Role Assignment: Name specific individuals with backup arrangements. "The IT department" or "management" are not sufficient responsibilities.

Decision-Making Authority: Explicitly define who can make which decisions, ideally in a matrix based on criticality and impact.

Communication Channels: Create contact lists with 24/7 availability, including mobile numbers and private contact details for emergencies.

Budget Approvals: Define up to which amounts external help can be commissioned without consultation.

Pre-Prepared Communication Templates: Have template drafts ready for customer, authority, and employee communication.

Why This Matters Now, Not Later

The numbers speak for themselves: According to the BSI situation report, the threat from cybercrime in Germany has reached a new record high. Mid-sized companies are increasingly targeted because they often have valuable data but are less protected than large corporations.

In a crisis, there's no time for fundamental discussions. When systems fail, everyone involved must know what to do. Every minute of delay can increase damage, both financially and reputationally.

Compliance and Legal Requirements

For many companies, clear incident response processes are now also a compliance requirement. NIS2, GDPR, and industry-specific regulations demand documented processes and defined responsibilities.

Practical Steps for Implementation

How do you move from recognition to implementation?

1. Workshop with Leadership: Raise awareness among executives and department heads. An incident response plan is a top management priority.

2. Risk Analysis: Identify your critical systems and most likely threat scenarios.

3. Define Roles: Determine who takes on which role in the crisis team. Establish an incident response team with clear leadership structure.

4. Create Playbook: Document decision-making pathways, responsibilities, and action instructions in writing.

5. Regular Testing: Conduct exercises at least annually. This is the only way to ensure everyone knows what to do in an emergency.

6. Continuous Adaptation: Your playbook must grow with your company and adapt to new threats.

The Real Cost of Unpreparedness

Consider the financial impact of unclear responsibilities during a security incident:

Delayed Response: Every hour of uncertainty can cost thousands in damages and lost revenue.

Regulatory Penalties: Missing the 72-hour GDPR reporting window can result in significant fines.

Reputation Damage: Confused, contradictory communication during a crisis can permanently damage customer trust.

Extended Downtime: Without clear decision-makers, recovery efforts become chaotic and take longer.

Higher Recovery Costs: Last-minute engagement of external experts without proper vetting often means premium pricing.

Building Your Incident Response Team

Your incident response team should include representatives from multiple areas:

IT Security: Technical assessment and containment measures.

IT Operations: System recovery and business continuity.

Legal: Compliance, regulatory reporting, and liability assessment.

Communications: Internal and external messaging coordination.

Management: Strategic decisions and resource allocation.

Human Resources: Employee communication and potential insider threat management.

Each member should have clearly defined responsibilities and decision-making authority within their domain.

Testing Your Plan: Tabletop Exercises

A playbook sitting in a drawer is worthless. Regular testing is essential. Tabletop exercises simulate realistic scenarios without disrupting operations:

Scenario Development: Create realistic incident scenarios relevant to your business.

Facilitated Discussion: Walk through the response step by step, identifying gaps and unclear responsibilities.

Documentation: Record lessons learned and update your playbook accordingly.

Frequency: Conduct exercises at least annually, or whenever significant organizational changes occur.

These exercises often reveal critical gaps that weren't apparent on paper.

Conclusion: Leadership Is Tested in Crisis

A security incident tests not only your IT systems but above all your leadership structures. Companies that proactively define clear responsibilities manage crises faster, more cost-effectively, and with less reputational damage.

The question is not whether a security incident will happen, but when. Prepare your organization now. An incident response playbook is not a compliance exercise for the drawer, but a strategic leadership instrument.

Start today: Check whether your company has documented in writing who is authorized to make which decisions during a security incident. If not, make this topic a priority in your next leadership meeting.

Because in an emergency, the outcome of the crisis is not decided by the best technology, but by the clearest leadership.

Your next steps:

  1. Schedule an incident response planning session with your leadership team within the next 30 days.
  2. Identify your most critical systems and data.
  3. Draft initial role assignments and decision-making authorities.
  4. Engage with specialized consultants if internal expertise is limited.
  5. Plan your first tabletop exercise.

The investment in preparation today will pay dividends when seconds count tomorrow.

Back to all articles