Cybersecurity executive and former CISO Lora Vaughn, CISSP, joined ISC2 Insights to discuss the issue of incident response plans and why many of them fail to deliver when called on.
A persistent challenge facing organizations across all sectors today is the failure of incident response (IR) plans when they are needed most.
Vaughn discussed how failure to review, test and evaluate plans are among the factors that undermine the effectiveness of plans when they are put into play. Misconceptions, assumptions, outdated scenarios and blind spots, poor integration and poor escalation plans are just some of the pitfalls.
Overcoming Organizational Complacency and Weak Testing
A significant problem, according to Vaughn, is organizational complacency. Although many companies conduct annual reviews of their incident response plans, these reviews often become superficial exercises. Plans may still contain outdated contact information, references to former employees or obsolete technologies because organizations simply “rubber stamp” updates rather than conducting meaningful evaluations. The existence of a plan is therefore mistaken for preparedness, even when the document is no longer fit for purpose.
Vaughn also highlighted another common weakness: inadequate testing. Many organizations conduct tabletop exercises or incident response drills because regulations require them to do so. However, they frequently use the same scenario year after year. Vaughn compares this to the definition of insanity—repeating the same activity while expecting different results. If teams rehearse the same ransomware scenario every year, they do not develop the skills needed to deal with unexpected events. Instead, exercises become compliance-driven tick-box activities rather than opportunities for learning and improvement.
Organizations must become more creative in their testing and planning, Vaughn noted. Effective exercises should make participants uncomfortable by challenging assumptions and forcing them to confront difficult, unexpected situations. Threat actors are constantly innovating, she noted, so defenders cannot afford to limit their imagination. By developing more creative, realistic and demanding exercises, organizations can build the adaptability and resilience needed to respond effectively when real incidents occur. Ultimately, Vaughn’s message is clear: preparedness comes not from having a plan, but from continuously testing, challenging and improving it.
