Incident response readiness: the questions every board should be asking.

The board question is no longer "do we have an incident response plan". It is "would the plan we have actually work, when tested, against the threats we actually face".

Board-level oversight of cyber resilience has tightened sharply over the past 18 months. The Cyber Security Breaches Survey shows 68% of large UK businesses now hold Cyber Security at board level. Insurers ask harder questions before renewal. Regulators – particularly in financial services, telecoms and critical national infrastructure – expect demonstrable evidence of active board engagement, not just an annual update.

What separates organisations that handle incidents well from those that don't is rarely the technology. It is the questions the board asks before an incident, and the honesty of the answers. Eight questions are worth putting on the agenda this quarter.

1. When did we last test the plan against a realistic scenario?

An incident response plan that has not been tested in the last six months against a current threat scenario is, in practice, untested. Tabletop exercises that involve the security team running through familiar steps do not count. The right test involves the executive, communications, legal, HR and the board – with realistic time pressure and an unfamiliar scenario.

2. Who has authority to act, at 3am on a Sunday?

Decision-making authority is the single most common point of failure in real incidents. Boards should know exactly who can authorise a system shutdown, a regulator notification, a public statement or a ransom decision – and who their backup is. If the answer involves checking the org chart, the answer is wrong.

3. How long would it take to detect a meaningful compromise?

Mean time to detect (MTTD) is a security metric, but it is also a board metric. Industry averages remain measured in days for most organisations. Boards should know their actual MTTD against current threat actors, not against the marketing-friendly version of the SOC dashboard.

4. Do we know what "acceptable downtime" actually means in our business?

Recovery time objectives written years ago against systems that have since changed are not a plan. Boards should ask which business processes can survive how long without IT, and whether the supporting recovery capability has been tested against those numbers. The first time anyone discovers the answer should not be during an incident.

5. What is our supply chain exposure?

A meaningful share of incidents now arrive via third parties. Boards should understand which suppliers have privileged access, how that access is monitored, what the contractual notification expectations are, and whether the supplier population has been segmented by risk. "We have a supplier register" is not the answer that should satisfy a board.

6. Are our communications materials current?

Pre-prepared customer notifications, regulator submissions, internal staff communications and media holding statements should exist, be approved by legal, and be reviewed annually. Drafting these in the first hours of an incident is one of the most reliable ways to compound damage.

7. Do we have access to specialist support that is on contract, not on speed-dial?

Incident response retainers, forensic capability, legal counsel and reputation management should be contracted in advance, with response SLAs documented. "We know who to call" is not a plan; it is an aspiration. The first conversation with an IR firm should not be the conversation about commercials at 2am during a live incident.

8. What did we learn from the last near miss?

The most mature organisations treat near misses with the same rigour as full incidents – root cause analysis, lessons learned, board-visible action plans. Most organisations don't, because near misses don't carry the same urgency. Boards should ask for the near-miss log, and ask what happened to the actions from the last review cycle.

What the answers usually reveal

Across the boards we work with, the honest answers fall into three groups. About a fifth can answer all eight questions confidently and with evidence. Roughly half can answer half of them, with a clear plan to close the gaps. The remaining quarter discover, in the act of trying to answer, that the gaps are larger than they thought.

There is no shame in the third group. There is significant exposure, however, in staying there. Incident response readiness is one of the few areas in cyber where the work to close the gap is well understood, costable and deliverable in months rather than years. The question is whether the board chooses to commission it before the incident, or after.

Talk to us about IR readiness →