The heavy glass door of the electronics suite didn’t just shatter; it exhaled. A pressurized sigh of safety glass hitting the linoleum in 1002 pieces. I was standing three aisles over, holding a lukewarm coffee, feeling the dampness of a spilled puddle soaking through my left sock. There is a specific kind of internal rage that occurs when you step in something wet while wearing socks. It’s a cold, invasive betrayal. It makes you want to burn the whole building down just to get dry. But the alarm was screaming in a rhythmic, high-pitched 122-decibel loop, and the guy in the hooded sweatshirt was already halfway to the service exit with 12 tablets tucked under his arm like oversized playing cards.
The wet sock. The small betrayal that occupies the mind.
My name is Theo N.S., and I’ve spent the better part of two decades in retail theft prevention. You’d think that with all the high-end sensors and the leather-bound ‘Security Standard Operating Procedures’ sitting in the manager’s office, this wouldn’t happen. But that’s the thing about security. The manual is always in the office. The thief is always in the aisle. And my foot is always wet.
Most organizations treat their Incident Response Plan (IRP) like a religious relic. They spend $45002 on a consultant to write it, they bind it in a nice folder, or more likely, they upload it to a SharePoint directory named ‘Compliance_Final_2022_DoNotEdit,’ and then they never look at it again. It sits there, a digital paperweight, providing a false sense of security that is functionally identical to having no plan at all. When the network goes dark and the ransom note appears on the screen in that jagged, terrifying font, nobody is clicking through fifteen sub-folders to find a PDF. They are screaming. They are looking for someone to blame. They are realizing, far too late, that they have a document, but they don’t have a capability.
The Disconnect: Artifact vs. Action
There’s a fundamental disconnect between the artifact and the action. We see this in retail all the time. A store will have a policy that says ‘Observe and Report,’ but when a group of 12 teenagers starts clearing out the fragrance section, the 62-year-old security guard doesn’t remember the policy. He remembers that he doesn’t get paid enough to get punched in the face. The policy assumes a rational environment. A crisis is, by definition, the absence of rationality.
Static Documentation
Pure Adrenaline
The Server Outage Timeline
Rack Dies (0 min)
Main inventory system quits. No error code.
Contact Lost (5 min)
Regional IT Director is 35,002 feet up. Backup fired 52 days ago.
Sales Bleed (30 min)
Losing $8002 in sales every hour.
I remember one specific Tuesday-it was the 22nd of the month-when our main server rack for the inventory system just… quit. It didn’t even throw an error. It just died. We spent 242 minutes standing around a terminal, arguing about who had the admin password, while the store hemorrhaged revenue.
“
This is the fantasy of competence. We write these plans because they make the Board of Directors feel like the ship is being steered. It’s a performance. We pretend that a step-by-step guide can account for the sheer, chaotic creativity of a malicious actor or the simple, grinding friction of human error. But a plan that hasn’t been practiced is just a work of fiction. It’s a script for a play where the actors haven’t had a rehearsal and the stage is currently on fire.
– Theo N.S.
The Gap: Adrenaline vs. Adherence
In my line of work, we call it ‘The Gap.’ It’s the space between what the manual says should happen and what actually happens when the adrenaline hits the bloodstream. If you haven’t run a drill-a real, sweating, uncomfortable, ‘oh-crap-everything-is-broken’ drill-then your IRP is a fairy tale. You need muscle memory, not a table of contents. You need to know that when the CEO is breathing down your neck, demanding to know why the website is down, you don’t go looking for a PDF. You go to the people who actually know how to stop the bleeding.
Investment Focus (Training vs. Artifact)
42% Low Skill
This is where most companies fail. They starve the investment in human training while over-investing in the ‘artifact’ of preparedness. They want the certificate, not the skill. I’ve seen 42 different versions of ‘Emergency Response’ plans in my career, and the only ones that worked were the ones that were wrinkled, coffee-stained, and kept on the actual desks of the people doing the work. The ones that were three pages long and focused on ‘Who do I call?’ and ‘What is the first thing I unplug?’
The Reality of External Expertise
When you’re in the thick of it, you realize that the external experts are often the only thing standing between you and total liquidation. When our internal team was spinning in circles during that server outage, it wasn’t the manual that saved us. It was the realization that we were out of our league. Organizations like Spyrus exist because they are the ‘break glass in case of fire’ reality that your PDF pretends to be. They are the ones who have done this 10002 times before, while your team is doing it for the first time in a state of sheer panic. There is no shame in admitting that your document is inadequate; the shame is in pretending it isn’t until the building is already ash.
Deep Runbook Knowledge
Beyond the documentation.
Crisis Authority
Delegated decision power.
Speed of Execution
Years of repetition.
Human Friction & Resilience
I think back to that wet sock. It’s a small thing, right? A minor discomfort. But it occupied 32% of my brain capacity while I was trying to handle a theft. In a cyber crisis, your ‘wet sock’ is the fact that your VPN is slow, or your lead engineer is through his third double-espresso and starting to shake, or your PR team has already promised a ‘full restoration’ by noon without talking to anyone in the server room. These are the human frictions that no PDF can account for.
We love to talk about ‘resilience’ as if it’s a software feature. It’s not. Resilience is the ability of a group of people to not fall apart when the plan fails. Because the plan *will* fail. The thief will exit through the front door instead of the back. The ransomware will encrypt the backups first. The person with the decryption key will be at their kid’s 12th birthday party with their phone turned off.
The Index Card Reality Check
If I could take every IRP_v3_FINAL.pdf and throw them into a bonfire, I might. At least then they’d be providing some warmth. Instead, I’d replace them with a single index card for every department. On that card: the three most likely disasters and the two people you call first. That’s it. Everything else is just noise designed to satisfy an auditor.
DISASTER 1 | CALL A & B
I’ve spent 152 hours this year alone sitting in meetings where people argue over the wording of ‘Section 4.2: Stakeholder Communication.’ It’s a waste of breath. When the crisis hits, the stakeholders will be screaming on Twitter (or X, or whatever we’re calling the dumpster fire today) regardless of what Section 4.2 says. What matters is whether or not your technical team has the authority to cut the line without asking for permission from a committee that meets once every 62 days.
Knowing the Broken Door
I finally got that shoplifter, by the way. Not because of the manual. Not because of the 82 security cameras. I got him because I knew the mall’s layout better than he did. I knew that the service exit he was heading for had a faulty latch that required you to pull *up* before pushing *out*. He slammed into it at full speed, bounced off, and I was there to sit on him until the police arrived 12 minutes later. My sock was still wet. I was still angry. But I had the ‘muscle memory’ of that broken door.
Your organization needs to find its ‘broken doors.’ You need to know the quirks of your infrastructure that aren’t documented in the official diagrams. You need to know which legacy database is held together by digital duct tape and hope. And you need to accept that the 50-page PDF is a security blanket for people who don’t actually have to fight the fire.
The Practice Imperative: Find Your Friction Points
If you want to be prepared, stop writing and start breaking things. Find out who steps up and who starts looking for the manual. That’s your real incident response plan. Everything else is just expensive fiction.
The Puddle and the Ghost Plan
I’m going to go change my socks now. The dampness has reached my toes, and I can’t think straight anymore. It’s funny how a tiny bit of cold water can ruin your whole day, much like how a tiny bit of unpatched code can ruin a $50,000,002 company. We ignore the small, uncomfortable realities in favor of the grand, comfortable illusions. We’d rather have a 50-page plan that doesn’t work than a 1-page plan that admits we’re vulnerable.
I’ve spent 152 hours this year alone in meetings arguing about procedure. Stop writing. Start doing.
