Incident Response and communication

Table of contents

• Incident response: why it’s not (just) a technical issue
• IT, legal, and communications operating in silos
• Decision-making delays during a ransomware attack
• Chaotic Slack chats during an incident
• The myth of “spontaneous communication”
• When information doesn’t arrive or arrives distorted
• Incident response as a leadership problem
• Why these problems only appear during real incidents
• Integrating communication and security: a mindset shift
• Conclusion: security is a human problem

When an organization suffers a security incident, especially a ransomware attack, attention almost immediately shifts to technical aspects: the malware, the entry vector, missing patches, failed backups. This reaction is natural, but often misleading. In practice, many incident response failures are not caused by technological limits, but by organizational and internal communication breakdowns.

This article explores a rarely discussed yet critical editorial angle: why internal communication is often the real weak point during a cyber incident. We will analyze what happens when IT, legal, and communications teams operate in silos, why decision-making delays dramatically worsen ransomware incidents, and how chaotic Slack chats turn into a risk multiplier instead of a coordination tool. This is not a firewall problem. It is a people and process problem.

Incident response: why it’s not (just) a technical issue

In cyber security theory, incident response is usually described as a clean sequence of phases: identification, containment, eradication, recovery, and lessons learned. On paper, it looks linear and almost mechanical. In reality, incidents are chaotic, stressful events where people operate under pressure with incomplete information.

Most frameworks implicitly assume smooth communication and a clear decision-making chain. When that assumption fails, the entire process breaks down. Not because security teams don’t know what to do technically, but because they don’t know who is authorized to decide, with which information, and within what timeframe. This vacuum leads to hesitation, conflicting actions, duplicated efforts, and delays that amplify the impact of the attack.

IT, legal, and communications operating in silos

One of the most common problems during incidents is the rigid separation between corporate functions. IT and security teams focus on containment and recovery. Legal teams focus on compliance, regulatory notifications, and liability. Communications teams focus on messaging to customers, partners, employees, and the media.

The issue is not that these priorities differ—that is expected. The issue is that these functions often fail to communicate in a structured way. Each group treats the incident as “their domain,” leading to disconnected or even conflicting decisions. IT may shut down critical systems without informing legal of data protection implications. Communications may draft public statements without understanding what is confirmed and what is speculation. Legal may freeze all external communication, creating silence and mistrust.

This siloed approach turns a single cyber incident into multiple internal crises, exactly when unity is most needed.

Decision-making delays during a ransomware attack

Ransomware attacks clearly show how internal communication failures worsen incidents. A typical scenario unfolds quickly: systems are encrypted, alerts are triggered, and the security team needs immediate decisions. Should systems be isolated? Shut down entirely? Should management be informed right away?

This is where the first bottleneck appears: who has decision authority. If roles were never defined in advance, every action becomes a debate. The IT manager waits for the CIO. The CIO waits for legal input. Legal requests more technical detail. Meanwhile, attackers move laterally, exfiltrate data, or complete encryption.

In ransomware incidents, time is a strategic variable. Every hour of indecision expands the damage. Yet many organizations fall into paralysis simply because decision-making paths were never clearly defined. This is not a skills issue it’s a governance failure.

Chaotic Slack chats during an incident

Tools like Slack or Microsoft Teams have become default communication channels during incidents. In theory, they should improve coordination. In practice, they often do the opposite. During a major incident, chats explode with messages: parallel threads, repeated questions, contradictory updates, and emotional reactions.

The problem is not the tool, but the absence of communication rules. Everyone posts everything. Decisions are buried in message floods. Nobody knows which instruction is the latest valid one. People joining the conversation late act on outdated information.

In some cases, chat platforms become an additional risk: sensitive data, indicators of compromise, or legal discussions are shared without control, creating compliance and security issues. What should be a coordination layer becomes a chaos amplifier.

The myth of “spontaneous communication”

Many organizations assume that, in a crisis, “people will talk to each other.” This is a dangerous myth. Under stress, communication quality degrades. Messages increase, but clarity decreases. Assumptions replace verification. Noise replaces signal.

Effective incident response communication is not spontaneous—it is designed. It requires predefined roles, dedicated channels, and clear rules. Without this design, even highly skilled teams operate inefficiently. Ironically, organizations invest heavily in security technology but rarely invest comparable effort in designing the communication processes that should govern its use.

When information doesn’t arrive or arrives distorted

Another frequent failure involves the quality of internal information. During incidents, data is incomplete and constantly evolving. Without a validation and synthesis mechanism, every update is treated as final. The organization swings from “limited incident” to “total compromise” and back again.

Management receives conflicting messages and loses confidence in the technical team. The technical team, feeling pressure, either over-communicates uncertainty or retreats into silence. This feedback loop increases confusion and delays, further degrading the response.

Incident response as a leadership problem

In many incidents, the real breaking point is the absence of clear leadership. A capable SOC or CISO is not enough if no one has the explicit mandate to coordinate across departments. Incident response requires a leader—or a small command structure with authority to make fast, imperfect decisions and communicate them clearly.

This role is not purely technical. It must understand legal, operational, and reputational implications. It must translate technical risk into business language and business priorities into technical action. Without this bridge, organizations fragment precisely when they are most vulnerable.

Why these problems only appear during real incidents

Internal communication weaknesses often remain invisible until a real incident occurs. Tabletop exercises are frequently too clean and controlled. Participants know it’s a simulation. Stress is low. Time pressure is artificial.

Real incidents occur at night, on weekends, or during peak operations. That’s when outdated contact lists, unclear escalation paths, and undefined channels reveal themselves. Communication becomes reactive and improvised. And improvisation is one of the fastest ways to lose control of a cyber incident.

Integrating communication and security: a mindset shift

Solving this issue requires a fundamental shift. Internal communication is not an accessory to incident response it is a core capability. It must be designed with the same rigor as technical defenses. This means defining in advance who communicates what, to whom, and through which channels.

It also means accepting that information will never be perfect during an incident. Consistency and speed often matter more than absolute accuracy. Strong internal communication reduces anxiety, accelerates decisions, and enables coordinated action.

Conclusion: security is a human problem

Cyber incidents expose organizations. Not just their technical vulnerabilities, but their human and organizational weaknesses. When incident response fails due to internal communication, technology becomes an easy scapegoat, but the diagnosis is wrong.

The real work lies in building an organizational culture where crisis communication is structured, integrated, and practiced. Because cyber security is not just about bits, malware, and firewalls. It is about people trying to understand each other when it matters most.

Questions and answers

1. Why does incident response often fail?
   Because of poor internal communication and unclear decision-making authority.
2. What role does internal communication play during ransomware attacks?
   It enables fast, coordinated decisions across IT, legal, and management.
3. Why are organizational silos dangerous in cyber incidents?
   They create delays and conflicting actions that increase damage.
4. Do Slack and Teams help during incidents?
   Only if governed by clear rules; otherwise, they increase chaos.
5. Who should lead communication during a cyber incident?
   A role with cross-functional authority and business-level visibility.
6. Is the problem a lack of technical skills?
   No, it’s primarily an organizational and governance issue.
7. How can decision delays be reduced during ransomware incidents?
   By defining roles, escalation paths, and authority in advance.
8. Are tabletop exercises enough?
   Only if they realistically simulate stress, ambiguity, and communication pressure.
9. Does internal communication affect external reputation?
   Yes, internal confusion leads to inconsistent or damaging external messages.
10. What is the first step to improving incident response?
    Designing internal communication as a core security capability.