An enterprise-wide crisis strategy is never complete; it must evolve as new threats appear.
In today’s rapidly changing IT world, crisis strategies become outdated very quickly, a fact that often goes unnoticed, said Roman Rylko, CTO at Python development firm Pynest. “New services, integrations and roles emerge, and all of them can become new points of failure or attack.”
Erez Tadmor, field CTO at network security firm Tufin, agreed, explaining, “Crisis strategies tend to age faster than organizations realize.” He noted that technology stacks evolve, dependencies increase and new threat vectors emerge frighteningly fast, especially as companies increasingly rely on cloud services, third parties and distributed teams. “Regularly revisiting the strategy ensures that leaders understand how a crisis would actually unfold today and whether decision paths, ownership and escalation still make sense in a more interconnected environment.”
First steps to mitigation
A crisis strategy should clearly define who’s empowered to make decisions, set priorities and monitor how teams respond, Tadmor said. “The focus should be on the overall business impact, rather than just technical failure,” he added. Tadmor said the plan should also include realistic options for containment and mitigation. “Additionally, it should address the steps that can be taken to prevent disaster when patching or full remediation solutions aren’t immediately available.” Communication planning is equally critical, both internally and externally, he advised.
Key strategy elements should include defining clear roles and responsibilities, creating incident scenarios, communication channels and integrating with monitoring and automation tools, said Pavlo Tkhir, CTO at software development firm Euristiq. “In our experience, automated alerts and dashboards significantly reduce response times, allowing the team to quickly localize and neutralize threats,” he said.
The value of the plan is in the timing
At a minimum, a crisis strategy analysis should be conducted every six months, Rylko advised. “Yet, when dealing with rapidly changing teams, I would recommend doing an analysis quarterly.” He added that a strategy analysis consumes significant time and resources, but a nonfunctional plan can be far worse in the long run.
Many organizations can benefit from more frequent updates, Tadmor said. “Major architectural changes, acquisitions, regulatory shifts or high-profile industry incidents are all good triggers to reassess whether the strategy still reflects operational reality.”
The simpler the plan’s language, and the fewer steps it contains, the higher the chance that the strategy will actually be executed precisely. — Roman Rylko, CTO, Pynest
Avoiding more mistakes
The biggest mistake is updating the crisis strategy plan without addressing behavior, said Conrad Bell, chief information security officer at C Spire, a regional wireless and advanced technology services provider. “Many plans look good in a binder, but they haven’t been tested or challenged based on real-world lessons.”
Bell noted that another common issue is failing to involve nontechnical stakeholders in the planning, including legal, communications and executive leadership. “A crisis strategy only works if the entire organization understands their roles and responsibilities and supports the plan.”
Tkhir said his company reviews its strategy quarterly and after each incident to take into account new technologies, regulatory updates and identified vulnerabilities. “The main mistake CIOs and CTOs make is assuming that a strategy will always work while failing to account for changes in infrastructure, team composition and external factors.” This approach, he said, often leads to delayed responses and increased damage.
“The simpler the plan’s language, and the fewer steps it contains, the higher the chance that the strategy will actually be executed precisely,” which can minimize risks, Rylko said.
Final thoughts
A modern crisis strategy should assume disruption will happen eventually, Tadmor said. “The real differentiator isn’t avoiding incidents entirely, but being able to limit impact, protect what matters most and make confident decisions under uncertainty.” He added that organizations that understand their dependencies and rehearse their response are far better positioned when a crisis does occur.
“In a crisis, it’s crucial to maintain a balance between speed and discipline,” Tkhir said. “Panic exacerbates problems, while a formal process that’s too slow wastes valuable time.” Effective crisis response strategy combines planning, automation and human oversight. That combination helps organizations minimize risks and recover quickly, he said.
Successful crisis responses are usually driven by preparation rather than heroics, Tadmor said. “The teams that perform best already understand system dependencies and business priorities, allowing them to act quickly even with incomplete information.” Getting the jump on early containment, transparent communication and iterative decision-making can lead to more effective results than waiting for perfect clarity, he explained.
Leadership must drive crisis management ultimately, Bell said. “Technology matters, but clarity, trust and decisiveness matter more.” Organizations have already agreed on how decisions will be made under pressure to respond best to a crisis, he said. “A good crisis strategy doesn’t just protect systems — it protects confidence, credibility and the business itself.”
