Whether you’re a CISO, CEO, or board member, you will eventually get the call — the one that jolts you awake in the middle of the night. Your heart will leap. Your mind will race. But amid the panic, it’s important to remember: This is the moment to gather information, evaluate options, make decisions, and take action. In other words, it’s time for leadership. I’ve been there. I’ve stood alongside teams navigating crises, and I’ve led teams through the chaos of recovery.
The challenge is never just technical — it’s deeply human. Leaders must ask themselves: How do I demonstrate leadership in this moment? How do I make decisions with limited information and marshal every available resource to stabilize, confront, and resolve the problem?
The SONAR Method: A Model for Cybersecurity Crisis Leadership
In Cyber Crisis Response, my co-author and I distilled these hard-won lessons into a simple but powerful framework — the SONAR Method™. It’s a method and model I return to every time there’s a crisis, and is a framework built from real-world experience:
- Stabilize: Immediately contain the situation and regain control of critical systems.
- Organize: Assemble the right people with the right expertise — quickly.
- Negotiate: Balance the conflicting priorities of executives, legal, regulators, customers, and technical teams.
- Articulate: Communicate clearly and regularly with all audiences, internally and externally.
- Remediate: Execute a disciplined recovery plan that closes security gaps and restores business operations.
Having been in the trenches for more than two decades, I’ve learned that effective leadership during a cybersecurity crisis isn’t about hoping for the best — it’s about preparing for the worst. And like any discipline, it can be taught, practiced, and refined.
Stabilize First — Leadership Under Fire
Every crisis begins the same way: with uncertainty and disorder. That’s why the first step is always to Stabilize. You won’t have perfect information, but you must regain control. Whether isolating compromised systems, containing adversaries, or protecting critical infrastructure, leaders must shift — temporarily — from collaboration to decisiveness. In a true crisis, there is no time for endless debate. Someone has to make the call, and as a leader, that someone is you.
Next, it’s important to know that it’s OK, and perhaps even necessary, to act like a dictator when a crisis hits. In that scenario, there isn’t a lot of time for consensus, opinion, or discussion — you’re under attack! Those thoughtful, collaborative traits usually are highly desirable for a leader, but remember that the first step is to right the ship — stabilize things immediately before the crisis spins out of control.
It’s also vitally important that leaders remember that the number one priority will always be human life and safety. Fortunately, cybersecurity attacks don’t often evolve to that level of peril, but when they do, that has to be your guiding principle. So if you have someone stuck in an elevator, your concern isn’t the ransomware that’s controlling the system that guides the elevator’s behavior. It’s about getting the person out of the elevator. Call 911, call the fire department, and get that process started. Then you can figure out, “OK, what are the next steps we need to do, from a technical standpoint?”
Organize and Negotiate — Teams Win Crises
So let’s say you’ve stabilized the immediate situation. What next? It’s imperative leadership quickly shifts to the next two actions: Organize and Negotiate. This is where teams matter most. It’s easy to overlook in the heat of the moment, but no leader, no matter how seasoned, can recover alone. Success depends on assembling the right people, fast — technical experts, legal counsel, communications, and business leaders — and aligning them behind a common goal.
Negotiation here doesn’t just mean external actors. It means balancing the competing priorities inside your own organization. The CEO wants business continuity. The legal team is focused on liability. Regulators expect timely disclosures. Every crisis involves conflicting agendas. Your job is to reconcile them without losing momentum.
Articulate Clearly — Communication Is Nonnegotiable
The fourth step, Articulate, is one of the most underestimated. Communication is not a soft skill in a crisis — it is an operational necessity. Too many leaders freeze, default to “no comment,” or speak too soon without facts. In my experience, it is always better to admit what you don’t yet know than to risk damaging trust.
Customers, employees, regulators, partners — they don’t expect instant solutions, but they do expect accountability. Acknowledge the problem, commit to fixing it, and provide regular updates. Silence invites speculation. Worse, it can permanently damage the credibility of the entire leadership team.
Remediate — and Make Sure You Can
Crisis recovery is not just about technical remediation; it’s about regaining confidence across the business. I’ve seen organizations unable to execute basic response plans because they stored the only copy of their documentation on the very systems now encrypted by ransomware. In my early days, we solved this the old-fashioned way: laminated wallet cards with key contacts and protocols. Today, it’s about building resilient playbooks and practicing them under real-world conditions.
The fifth and final pillar, Remediate, is where leaders shift from response to recovery. This means fixing what’s broken but also ensuring the business is better prepared for the next inevitable incident. It’s the difference between surviving and emerging stronger.
Leadership After the Headlines
Surviving a cyberattack is one thing; leading through the aftermath is another. The best leaders take ownership, foster accountability, and conduct open, blame-free reviews to improve. They rebuild trust with boards, customers, and teams by demonstrating that the crisis wasn’t just endured — it was learned from.
What sets great crisis leaders apart isn’t just technical prowess. It’s the ability to make decisions under pressure, communicate with integrity, and enable teams to adapt and act without hesitation.
Because when the next call comes — and it will — true leaders lead.
Want to learn more about what Chris has to say? Check out his full-length Threat Vector Podcast here.
