"One: What type of crisis are you dealing with? Two: Who are you going to have in the room," Nicola Hudson said. "And three: Understand responsibilities and trust each other, everyone needs to know what they are doing, no second guessing or getting angst ridden when you are tired and four days in."
Three concise pillars for a crisis playbook, from Brunswick's Nicola Hudson
At Infosecurity Europe 2026 on June 3, Hudson — partner and global cyber practice co‑lead at Brunswick and previously director of policy and communication at the National Cyber Security Centre (NCSC) — argued that an effective cyber crisis playbook should be short and built around three focused components. She emphasised: identify the type of crisis; decide who must be in the room; and make responsibilities explicit so people trust one another under pressure. In Hudson’s formulation, brevity and clarity matter more than voluminous documentation.
Playbooks don't fail because of technology — they fail because reality diverges
Ashish Shrestha, CEO of Zyn Global and former group CISO of Jaguar Land Rover (JLR), put the operational problem bluntly: "Playbooks don’t fail because of technology, they fail because reality doesn’t follow a script." He described the war‑room dynamic where "the information coming to you is not just changing in minutes, sometimes it’s contextless and in fragments," and framed the leadership task as correlating those fragments to decide next steps. That mismatch between written plans and unfolding, fragmentary data is the chief practical challenge leaders must plan to manage.
What survives in communications: process, not prewritten statements
Hudson warned against the illusion that a communications playbook can contain every statement an organisation might need. "What doesn’t survive in communications is a playbook with every statement you want to do. You have no idea what’s going to happen or what the threat actor will do," she said, adding that response guidance must be a living document: "It’s a live crisis communications playbook and you are tweaking it as you go along." Her point was procedural: an organisation that has agreed decision rights and an explicit process can update messages in real time without internal paralysis.
Managing people during a technology crisis: rostering, rest, and basic needs
Speakers at the keynote underlined that cyber incidents are human endurance events as much as technical problems. Shrestha urged leaders to bake human resilience into plans: track how long people have been working; document required downtime; and provide practical support so responders stay effective. "Make sure they eat well. Make your they have a hotel to stay in. Make sure they have time to go home!" he said, describing measures used while responding to a major incident involving JLR in 2025. He noted a roster practice: "We had a roster than said you are staying offline at this time," and concluded bluntly, "It’s an ultra‑marathon so you need resilience."
How technologists, business leaders, and responders will act
- Technologists and security teams: expect to work from fragmentary, fast‑changing information and to rely on concise playbooks that prioritise decision rights and processes over exhaustive scripts, as Hudson and Shrestha described.
- Business and communications leaders: focus playbooks on identifying crisis type, assembling the right room, and establishing trust and clear responsibilities so messages can be adapted live rather than pulled from a prewritten list of statements.
- Responders and employees: anticipate operational provisions for human resilience — rostering to enforce downtime, catering and accommodation, and explicit documentation of who must stay offline and when, practices Shrestha said were used during JLR's 2025 incident.
Speakers at Infosecurity Europe 2026 distilled a simple but exacting prescription: shorten the playbook, harden the process, and protect the humans executing it. The conversation shifted attention away from hypothetical statements toward day‑to‑day logistics and decision discipline — the things that "survive" when an incident stretches into days. Will organisations move those human protections from afterthought to standard practice before the next major incident? The answer will determine whether the next response is a managed operation or an improvised endurance test.
