Maintaining Composure: Effective Emotional Regulation in Security Incident Response

Emotional regulation, a crucial skill in the cybersecurity field, is the ability to manage and respond to emotional experiences in a healthy and effective manner. It involves recognizing emotions, understanding their triggers, and employing strategies to cope with and express these feelings constructively. This skill enables individuals to maintain a balanced emotional state, even in challenging situations, and empowers us to exercise discipline and self-restraint in pursuing our goals. 

The ability to remain calm and composed during an incident response is critical to a successful recovery. Yet, it’s challenging to do in practice if you’re unprepared. Written plans and procedures are great (and necessary for compliance). Still, execution is the hardest part, where human emotions often get the better of security teams and their partners across the business. Allowing organizations to accept all security incidents as “crises” by default excuses chaos. Are they stressful? Sure. Embarrassing? Sometimes. But in my experience, it’s not a crisis until or unless you mess up the response. 

Our network engineering, SRE, and infrastructure colleagues don’t panic every time something goes wrong – they plan for it in staffing, tooling, and failsafe procedures under the daily pressure of keeping services online. They understand most of the internet is held together with duct tact and chewing gum, and they’re under no delusion that a month of games and guest speakers once a year will change company culture. Perhaps this is why many of them are excellent security and privacy engineers.  

Imagine a scuba diver at depth, exploring a colorful reef, abandoned shipwreck, or underwater cave. Suddenly, equipment failure occurs, or they lose sight of their dive buddy. Panic can lead to rapid breathing, increased air consumption, and potentially fatal mistakes. The diver must instead rely on training, regulate their emotions, and execute a well-rehearsed plan to safely resolve the situation, often when ascending to the surface is not an option. Even at the most fundamental levels of training, we teach new divers how to safely navigate situations that might appear quite serious to an untrained observer – things like running out of breathing air or experiencing nitrogen narcosis. If you know how to handle these situations properly, they never escalate to a crisis level. 

Similarly, the immediate response can dictate the overall impact when a cybersecurity incident occurs—whether it's an accidental data leak, responsible disclosure debate, crypto heist, or supply chain attack. A panicked engineer or executive is equally capable of making hasty decisions that exacerbate the issue. Conversely, one who remains calm can methodically assess the situation, coordinate with the incident response team, and implement an effective strategy to minimize impact. In many cases, incidents are valuable opportunities to reinforce company values and build stakeholder trust.  

The principles for incident response in cybersecurity are strikingly similar to the lessons taught in scuba diving. Executives must manage their stress and emotions to lead their teams effectively. Here are some recommendations for cultivating emotional regulation and self-restraint during cybersecurity incidents:

1. Preparation and Training: Conduct incident response drills to ensure that all team members, including executives, are familiar with protocols and can perform under pressure. Decide as an organization in advance the values and characteristics you want to exemplify during an incident. This helps eliminate conflicts between functions and individuals about the level of transparency, empathy, and accountability expected during decision-making. Training should also include stress management techniques. The best way to ensure everyone practices the procedures frequently is to align your IR plans with daily operations. For example, the process for developing and publishing security content on your website should include the same technical, communications, business, and legal experts who would review public statements about an incident because it impacts the same stakeholders. Form the cross-functional relationships and use the appropriate tooling now so that everyday operations reinforce your IR procedures. Familiarity also reduces emotional and cognitive pressure when it matters most.

2. Mindfulness and Stress Management: Incorporate mindfulness practices such as meditation, deep breathing exercises, or even physical activity into your routine. These practices can enhance your ability to stay calm and focused during high-stress situations. It’s not uncommon for me to ask someone to walk around the block before joining a call or meeting to help them focus on the task at hand. In scuba diving, avoiding panic is critical for conserving breathing air, but also to help you think clearly when you’re (literally) under pressure. Likewise, in security, if your hair is on fire, it’s easy to misuse resources or make mistakes in judgment. I’m a big fan of 1-3 minute meditations before crucial conversations to ensure my emotions don’t hijack my goals.  

3. Clear Communication: Develop a communication plan that outlines how information is disseminated during an incident – not just publicly but also inside your organization. If your lead attorney or customer support director is on vacation, does the security team know who to contact next? Does that individual already know the plan because it’s detailed and not a generic checkbox for compliance, or do we have to get them up to speed while also hoping their unfamiliarity with the process and subject matter doesn’t throw a wrench in the organization’s ability to respond quickly and inline with its values? Clear, composed communication about roles and responsibilities and the state of an investigation can prevent misinformation and ensure everyone is on the same page.

4. Support System: Build a support network of trusted colleagues, mentors, and mental health professionals. Having someone to talk to can help process emotions and maintain perspective. You don’t need to disclose nitty-gritty details of an incident to find understanding from someone who cares about you, who can help lighten the mood, or cover other responsibilities while you temporarily focus on the incident. I wrote previously about relational sources of resilience based on an excellent article from Harvard Business Review. Paying attention to these relationships now is an investment in your mental health and professional development — don’t wait for an employer to do this for you, or you’ll be waiting forever. 

5. After-Action Reviews: Conduct thorough reviews after each incident to identify what went well and what could be improved. Use these insights to refine your incident response plan, enhance your team's preparedness, and improve your daily operations. If something isn’t working in your IR procedures, it likely isn’t working when you’re not under pressure, either. The relationships, tools, and protocols we can use during an incident are shaped by the ones we exercise daily. 

The ability to regulate emotions and exercise self-restraint is crucial for incident response. Just as scuba divers rely on these qualities to navigate emergencies, cybersecurity professionals must do the same to protect their organizations from unforced errors. By fostering these skills, executives can lead their teams with confidence and resilience, ensuring a robust and effective response – and recovery.