In this blog you will hear directly from Microsoft’s Deputy Chief Information Security Officer (CISO) for Customer Security, Ann Johnson, about the need for proactive planning in cyber incidents, particularly surrounding communications. This blog is part of a new, ongoing series where our Deputy CISOs share their thoughts on what is most important in their respective domains. In this series you will get practical advice and forward-looking commentary on where the industry is going, as well as tactics you should start (and stop) deploying, and more.
Many companies have strong protocols in place for natural disasters such as earthquakes, fires, and floods. There is a shared understanding that when those events strike, you do not want to improvise your response. You want to act quickly, communicate clearly, and protect what matters most.
Yet when a cyberattack hits—often quietly, invisibly and without warning—many organizations find themselves scrambling. They lack the same level of coordination, rehearsal, and leadership they would apply to a visible crisis. In those moments, when minutes can cost an organization millions, the absence of a tested response plan can be just as damaging as the cyberattack itself. Cyberthreats may be silent, but their impact is loud, and it is time we treat them with the same urgency and discipline as any other disaster.
Two misconceptions about cyber resilience
In my conversations with executives around the world, I have noticed a pattern. Regardless of industry or region, two core misconceptions tend to show up when we talk about cyber resilience. Left unaddressed, both can leave organizations exposed when it matters most.
Misconception #1: “Cyber incidents are usually small and containable.”
This belief often leads to underinvestment in planning and overconfidence in reactive capabilities. Today’s cyberthreats are built to spread quietly and quickly. What begins as a single compromised identity or an overlooked misconfiguration can rapidly evolve into widespread operational disruption. The impact often extends well beyond technical systems, affecting supply chains, customer trust, compliance obligations, and brand reputation. IBM’s 2024 Cost of a Data Breach report estimates that the global average cost of a data breach is 4.88 million, a 10% increase from 2023.1
Misconception #2: “This is an IT problem.”
Cyber resilience may start in the security operations center, or SOC, but it does not end there. In a real-world event, it is not just your technical teams who are responding. Your legal team is drafting disclosures, communications teams are shaping external messaging, human resources (HR) is guiding internal coordination, finance is assessing risk exposure, and executives are making decisions under incredible pressure. If only one part of the business is prepared, the whole response suffers.
How to be prepared: turning awareness into actionable steps
How can an organization get cyber resilience right?
Cyber incidents should be treated as inevitable, so the true differentiator for an organization is how well they respond to them. This often comes down to preparation and communication.
First, it must start with alignment at the top. Every function, including legal, finance, HR, communications, security, and leadership, needs to be part of the conversation before the crisis.
While every organization will have a different structure and different thresholds for decision making, the same foundational questions will apply:
- What happens if our systems go down?
- Who needs to know, and how will we reach them?
- What are our obligations—to regulators, to customers, and to employees?
- Who decides, and who communicates?
The answers will vary, but the need for answers will not. Organizations that respond best will have built the same operational foundations in place: clear governance, tested communication strategies, and practiced coordination across business functions.
Here is what I have seen work consistently, across all sectors, scales, and global teams:
1. A clearly defined, living playbook
A response plan only works if it is both clear and current. You need a playbook that lays out roles, responsibilities, and actions in plain language with no ambiguity and no guesswork. Simultaneously, the plan must also be able to evolve. Cyberthreats change, teams shift, regulations update. Your playbook should be a living, breathing document that is reviewed and pressure tested regularly, and updated to reflect how your organization actually operates. It should cover more than just technical remediation, including who declares the incident, who contacts the regulators, who informs customers and employees, and how those communications are approved and distributed.
2. Decision-making frameworks
In a crisis, time is your most precious asset, and confusion is your biggest liability. Your organization should have a clear process for who makes decisions, how they escalate, and how they get communicated across the business. There should be no room for second-guessing or silos.
3. Backup communication channels
One of the first things that may go down in an incident is your communication systems. Do not assume you will be able to email your way through a crisis. Instead, investigate how you may be able to use other communication channels, like encrypted messaging, redundant systems, or even personal devices, so you are not improvising under stress.
4. Clear ownership of messaging
Before an incident, decide: Who speaks for the company? Who drafts statements? Who approves them? The organizations that can respond with speed and clarity are the ones that already have roles assigned and workflows rehearsed.
5. Regular rehearsals and tabletop exercises
Cyber resilience does not exist in a vacuum. Cross-functional simulations that bring together business leaders, legal, communications, and security are critical. They help teams build trust, refine the process, and identify gaps before bad actors do.
The role of AI in cyber resilience
AI will not stop a cyber incident from happening, but it can change how fast and how well you respond.
That is because resilience today is defined by speed. The faster you can detect, understand, and coordinate a response, the better the outcome. AI helps close that gap by rapidly analyzing logs, alerts, and telemetry to surface what matters most, freeing teams to focus on action, not investigation.
AI also stands to play a growing role in communication during cyber incidents. From drafting regulatory updates to triggering stakeholder notifications, AI can streamline workflows when pressure is highest.
Used well, AI becomes a force multiplier: reducing noise, accelerating decisions, and giving teams the clarity they need to lead with confidence.
Like every technology, there is no one-size-fits-all approach. Cyber resilience should be shaped by the critical functions that define your organization.
Risk tolerance, regulatory expectations, and operational priorities vary by industry. The key is to define what matters most and build your strategy around it.
Cyber resilience as a leadership imperative
Cybersecurity is no longer just a technical function: it is a business conversation, a governance priority, and a core test of leadership. The most resilient organizations are those where accountability is shared, decisions are rehearsed, and security is embedded into every layer of the enterprise. Leadership means actively asking hard questions, demanding cross-functional alignment, and showing up for the rehearsals, not just the results.
Most importantly, cyber resilience is not a one-and-done task, but an inherently continuous discipline. The most prepared organizations are not the ones with perfect answers, but those that keep asking the right questions and refining their approach together.
Hear more from Ann
As the host of Microsoft’s Afternoon Cyber Tea podcast and a frequent speaker at global security forums, Ann brings a boardroom-level perspective to the technical, operational, and cultural challenges shaping today’s security landscape. To hear more of Ann’s insights, tune into Afternoon Cyber Tea or follow her on LinkedIn for updates on Microsoft’s cybersecurity transformation, security innovations and leadership during disruption.
Learn more
For a summary of our Enterprise Resilience and Crisis Management Program, which encompasses Enterprise Resilience, Business Continuity Management, and Crisis Management, as well as information about some of our specific products and their Business Continuity and Disaster Recovery (BCDR) capabilities, read the Microsoft External Customer Statement.
To learn how Microsoft supports customers in achieving their resilience and Business Continuity and Disaster Recover (BCDR) goals and how to leverage Microsoft’s robust tools to ensure resilience and continuity in the face of disruptions, read Enabling Customer Resilience in the Cloud.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Cost of a Data Breach, IBM. 2024.
