Every organization has an incident response plan. It lives in SharePoint, or a shared drive, or a binder on the CISO's shelf. It was written by consultants, approved by the board, and reviewed once a year. It checks the compliance box.

It is also, almost certainly, the last thing anyone will think of when a real breach happens at 3 AM on a Saturday.

The military has a phrase for this: train as you fight. The idea is simple — if you only practice in calm, controlled conditions, you will fail when conditions are chaotic, stressful, and unforgiving. Cybersecurity is learning this lesson the hard way. IBM's 2025 Cost of a Data Breach Report found that the average breach now costs $4.44 million globally — and $10.22 million in the United States. Organizations with well-tested incident response plans saved $1.49 million compared to those without. The difference is not having a plan. It is having practiced it.

What We're Seeing

1. The Shelfware Problem: Plans That Nobody Remembers Under Stress

The trend: Most organizations treat incident response training as an annual compliance exercise. A tabletop discussion, facilitated by a consultant, where executives walk through a hypothetical scenario in a conference room. No time pressure. No real systems. No cascading chaos. OrbitalFire's 2026 analysis puts it plainly: "A plan on a shelf is just another PDF." IANS Research's 2026 CISO Benchmark confirms that most organizations catch more gaps in one tabletop exercise than in months of planning — yet exercises happen once a year, if at all.

The economics reinforce the problem. A single tabletop exercise costs $10,000-50,000. A red team exercise costs $100,000-500,000. At those prices, organizations run one or two per year — then spend eleven months forgetting what they learned. Knowledge decays. Staff turns over. New threats emerge. By the time the next exercise happens, the team is starting from scratch.

What it means for your business: Your incident response plan was written for a calm, rational version of your team. The version that shows up at 3 AM after a ransomware attack is a different team entirely. They are stressed, sleep-deprived, making decisions with incomplete information, and coordinating with people they rarely work with. If they have not practiced under those conditions, the plan is decoration.

The military trains constantly — not because soldiers forget how to shoot, but because coordinated response under pressure is a perishable skill. Cloud Range and Immersive Labs are bringing this philosophy to cybersecurity with live-fire simulation platforms, but adoption remains limited. 76% of SOC analysts report alert fatigue, and the average analyst burns out in two years. They are not failing because they lack knowledge — they are failing because they have never practiced using that knowledge under real pressure.

What happens if you wait: IBM found that nearly two-thirds of breached organizations are still recovering beyond 100 days. Organizations that contained insider incidents in under 31 days spent $10.6 million — those that took over 91 days spent $18.7 million. Speed is not a nice-to-have. It is an $8 million difference. And speed comes from practice, not from reading a document.

2. The Coordination Problem: Ten Stakeholders, Zero Rehearsal

The trend: When a serious incident hits, the response involves far more than the security team. Technical analysts contain the breach. IT engineers restore systems. The CISO assesses risk and briefs the board. The CEO decides what to communicate publicly. The General Counsel evaluates legal exposure and notification obligations. Communications drafts press statements. HR manages internal messaging. And all of this happens simultaneously, under pressure, on a clock.

Sygnia's incident communication research highlights the core challenge: these teams have fundamentally different needs. The CISO needs technical accuracy. The CEO needs a two-sentence summary. Legal needs to know the notification deadline. Communications needs a statement that does not admit liability. The board needs to understand fiduciary exposure. Each stakeholder speaks a different language, operates on a different timeline, and has different priorities — and they almost never practice coordinating with each other.

Infosecurity Magazine reports that communications and stakeholder management are rapidly becoming core CISO competencies. Yet FTI Consulting's survey found that nearly one in three executives believe their CISO hesitates to inform leadership of potential vulnerabilities — a trust and communication gap that exists in calm times and explodes during a crisis.

What it means for your business: The hardest part of incident response is not technical. It is getting ten people who do not normally work together to make coordinated, time-sensitive decisions with incomplete information. Consider what happens in the first two hours of a ransomware attack:

• Security analysts are triaging — they do not yet know the full scope
• The CEO is asking "how bad is it?" — no one can answer yet
• Legal is asking about GDPR's 72-hour notification clock — the clock started, but the scope is unknown
• Communications is getting calls from journalists who somehow already know
• A board member is calling the CEO directly
• IT is deciding whether to shut down systems (stopping the bleeding but halting the business)

Without pre-established coordination — a shared command structure, clear escalation paths, agreed communication protocols — each team improvises. Conflicting information goes out. The wrong person talks to the press. Legal discovers a notification was missed. Microsoft's CISO resilience report stresses that these partnerships must be built before the crisis, not during it. But how often do CEOs, General Counsels, and Communications Directors actually sit in a room and rehearse their coordinated response to a breach? For most organizations, the answer is never.

What happens if you wait: Sygnia warns that companies are often judged less on the breach itself and more on how they handle it. Inadequate, inaccurate, or inconsistent communication during a crisis can damage customer loyalty, tank market performance, and cost individuals their jobs. The technical response can be flawless — and the company still loses if the coordination and communication fail.

3. Regulation Is No Longer Asking If You Have a Plan — It Is Asking If You Have Practiced It

The trend: European regulations have shifted from requiring incident response plans to requiring proof that those plans have been tested. NIS2 mandates tabletop exercises and clear incident response procedures across essential and important sectors. DORA goes further: financial entities must conduct mandatory resilience testing, including annual penetration testing for critical systems and threat-led penetration testing (TLPT) every three years. Both frameworks impose identical reporting timelines — 24-hour early warning, 72-hour detailed report, one-month final report — and both hold the management body personally responsible.

ISACA's 2025 white paper on NIS2 and DORA convergence is explicit: compliance is no longer the sole responsibility of the IT department — it is a team sport. The lack of management involvement is not an excuse; it is negligence. Meanwhile, cyber insurance premiums have increased 50-100% since 2023, and insurers are increasingly requiring evidence of regular testing — not just the existence of a plan, but documentation that the plan has been exercised, gaps have been identified, and remediation has occurred.

What it means for your business: If you operate in Europe — or serve European customers — the question is no longer "do we have an incident response plan?" It is "can we prove we have tested it, and that our leadership team knows their role in it?" Regulators are not accepting intentions or roadmaps anymore. Kymatio's 2026 compliance manual notes that supervisory audits are actively underway across the EU. Organizations that relied on paper compliance are discovering that having a plan and demonstrating readiness are fundamentally different things.

The regulatory pressure creates a second, less obvious challenge: frequency. NIS2 and DORA do not say "test once a year." They expect ongoing readiness. But at $10,000-50,000 per tabletop exercise — plus the scheduling burden of getting executives, legal, and communications in the same room — most organizations cannot afford to test more than once or twice a year. The result: regulatory expectations outpace organizational capacity to meet them.

What happens if you wait: The enforcement mechanism has teeth. NIS2 fines can reach €10 million or 2% of global annual turnover. DORA adds sector-specific penalties for financial entities. Validato's compliance guide warns that organizations subject to both frameworks must reconcile overlapping demands across supply chain security, incident reporting, and business continuity — making a holistic, tested approach not just advisable but legally necessary.

How This Connects to Your Business

1. Measure your practice frequency, not your plan completeness. Ask your CISO: how many times did we exercise our incident response plan last year? Who participated? What gaps did we find? If the answer is "once, with the security team," your plan has not been tested — it has been discussed.
2. Include non-technical stakeholders in exercises. The CEO, General Counsel, and Communications Director need to practice their roles under pressure, not just the technical team. The coordination between these functions is where most incident responses fail — and it is the part that is almost never rehearsed.
3. Treat regulatory testing requirements as an investment, not an overhead. NIS2 and DORA are forcing organizations to do what they should have been doing anyway: proving readiness, not just planning for it. The organizations that embrace frequent, realistic exercises will not only pass audits — they will respond faster, coordinate better, and recover cheaper when the real incident comes.

The gap in this market is not technology. There are more security tools than any organization can deploy. The gap is preparation — realistic, frequent, multi-stakeholder preparation that builds the muscle memory to respond under pressure. The organizations that close this gap will not just survive incidents better. They will turn incident readiness into a competitive advantage — in board confidence, insurance premiums, regulatory posture, and customer trust.

Sources:

• IBM — Cost of a Data Breach Report 2025
• IBM — Navigating the AI Rush Without Sidelining Security
• Secureframe — 110+ Data Breach Statistics for 2026
• Baker Donelson — Ten Key Insights from IBM's Cost of a Data Breach Report 2025
• OrbitalFire — Incident Response in 2026: Beyond the Plan
• IANS Research — How Tabletop Exercises Transform IR Readiness
• Sygnia — Communication During Incident Recovery
• Sygnia — IR Team Communication and Coordination
• Infosecurity Magazine — The Evolving Role of the CISO
• Microsoft — The CISO Imperative: Building Resilience
• FTI Consulting — Cybersecurity & Data Privacy Communications
• ISACA — Resilience and Security: Navigating NIS2 and DORA
• Kymatio — NIS2, DORA & ISO 27001: 2026 Compliance Manual
• Validato — Navigating NIS2 and DORA: Proactive Cyber Resilience
• Cloud Range — Cyber Attack Simulations for SOC & IR Teams
• Immersive Labs — Prove Cyber Resilience with Realistic Drills
• CISA — Tabletop Exercise Packages