Imagine a room full of CISOs, security managers and crisis specialists. You hand them a realistic data breach scenario, a ticking clock and the assignment to find their way through it together. What would you expect?
Probably this: debate about forensic investigation, discussion about detection technology, disagreements about incident response tooling. What actually happened at the PvIB conference Prevent, Detect, Respond on 19 May was something different. 160 security professionals reached sharp, shared answers to four cyber crisis dilemmas in under an hour. And almost none of those answers were about technology. They were about who has a seat at the table, about when you communicate, about what you do when a supply chain partner withholds the information you need, and about whether you pay.
That is the surprise this experiment delivers, and at the same time the confronting question it raises: if the real challenges in a cyber crisis are governance and communication, what is the sector spending all that preparation time on?
The technical side is ready. The rest is not.
Organisations invest heavily in detection, in tooling, in response infrastructure. But they invest less in the question of who has the mandate when things go wrong, who sits in the crisis team and whether those people know how to make decisions under pressure.
The participants were fast and unanimous: a compact crisis team chaired by an executive with real decision-making authority outperforms a large consultative body. The CISO, Legal and business roles are valuable as support, not as permanent members slowing down every step. Two roles consistently came up as indispensable: a crisis coordinator and a logger (crisis secretary). Without those two, you lose track of what has already been decided while the crisis unfolds.
The supply chain as a blind spot
The scenario that drew the most recognition: a supply chain partner reporting an "irregularity" but sharing little else. You are in your crisis team not knowing whether your connection is compromised, how many customers are affected or when the incident was first observed.
The participants' response was unanimous: waiting is not an option. You escalate immediately, CISO-to-CISO, in parallel with your own impact analysis. Falling back on contractual agreements is counterproductive, because in a crisis you want to work together based on mutual interest, not stand across from each other legally.
But the real lesson sat one layer deeper. If the first time you contact the CISO on the other side of the API connection is during the crisis, you have already lost. Not because you are incompetent, but because you lose precious time on introductions and trust-building precisely when the clock is ticking.
The ransomware dilemma: whose responsibility is it?
The ransom dilemma divided participants the most, but the way they reasoned through it was telling. The majority leaned towards not paying, and the arguments were consistent: payment offers no guarantee, rewards criminal behaviour and is only meaningful if there is proof the threat group actually holds the data.
But more interesting than the answer was the observation underneath it: this is not a technical decision. It is a strategic one, with legal, financial and reputational implications. Yet many eyes turn towards the CISO as the expert, because no one has thought in advance about who actually makes this type of call.
What 160 experts prove together
The participants produced better answers in one hour than many organisations can formulate in days. That is because they shared a common frame of reference, knew each other through the PvIB network and were used to reasoning together under pressure. That is precisely what is missing when a real crisis hits: not the knowledge, not the tooling, but the familiarity with the people on the other end of the line.
What can you do about that right now? Invest in your network before you need it, know the CISO at your supplier, know who leads the crisis team at your service provider and above all: practise together, so that first introduction does not happen while the clock is ticking.
The 160 experts in that room proved it themselves. A sector that knows itself responds better.
The insights in this article are based on Operatie NovaStar, a crisis simulation held during the PvIB conference Prevent, Detect, Respond on 19 May 2026, facilitated by CCRC. Download the full white paper via this link.