When a major cyber incident hits, leadership, not technology, becomes the critical control.
Drawing on experience from the Medibank breach, Alex shares practical lessons on supporting organisations through crisis, navigating uncertainty, and leading the long recovery that follows a large-scale, public cyber incident.
Crisis leadership starts with clarity and composure
In a major incident, the CISO becomes the central translator between technical reality and business decision-making.
Organisations look to security leaders for direction under extreme pressure. Poor communication or visible panic can amplify risk beyond the incident itself. Alex describes the early days of the breach: rapid escalation from “unusual behaviour” to confirmed compromise and public disclosure within days. His role quickly shifts to providing real-time, business-aligned updates, balancing urgency with calm while operating on minimal sleep.
Sustaining leadership requires structured support systems
Endurance, not just response, is critical during prolonged incidents.
Incidents last far longer than expected. Without structured support for leaders and teams, fatigue becomes a risk multiplier. Alex introduces two key mechanisms:
- Leadership rotation to ensure continuous coverage and minimum rest.
- “Twin CISO” model to split responsibilities across crisis management and business-as-usual operations.
These approaches double capacity and reduce burnout, allowing clearer decision-making.
Transparency builds trust under pressure
Honest, unfiltered communication is essential with boards, executives, and customers.
Leaders need accurate information to act. Over-simplifying or withholding detail damages trust and slows response. Alex outlines two principles:
- “No bullshit” – clear articulation of what is known and unknown.
- “No dumbing down” – use real language supported by explanation.
He emphasises mirroring internal and external communications to maintain consistency and credibility, even under scrutiny.
Playbooks break, adaptability wins
Major incidents quickly exceed predefined plans, requiring flexible thinking.
Rigid adherence to playbooks can limit effectiveness when facing unique, complex threats. Alex describes engaging multiple incident response partners with different methodologies, an
approach not in the playbook but critical for validating findings and building confidence in the response.
Supporting people is as important as resolving the incident
The psychological impact of incidents is significant and often overlooked.
Sustained stress, fatigue, and blame can destabilise teams and reduce effectiveness long after the incident ends. Alex shares practical steps: buddy systems, enforced breaks, and wellbeing support. He highlights the need to act as “a shoulder to cry on” for teams dealing with stress and uncertainty.
Recovery operates at multiple speeds over years
Post-incident recovery is a long-term, multi-phase effort requiring both rapid fixes and strategic change.
Organisations must address immediate vulnerabilities while planning deeper transformation, all while rebuilding trust. Alex outlines a dual-speed model:
- Fast-track remediation for urgent fixes.
- Long-term programmes for systemic improvement.
He also stresses the need for continuous assurance and proof, as public incidents create lasting trust deficits with stakeholders.
Major cyber incidents are not just technical failures, they are leadership tests that reshape organisations, teams, and culture.
Key takeaways:
- Crisis leadership hinges on clear, honest communication and the ability to translate technical risk into business impact.
- Sustained response requires structured support models, including rotations, shared leadership, and psychological care.
- Recovery is long-term and trust-driven, requiring dual-speed execution and continuous proof of improvement.