If there\u2019s an intrusion or a ransomware attack on your company, will your security team come out swinging, ready for a real fight? CISOs may feel their staff is always primed with the technical expertise and training they need, but there\u2019s still a chance they might freeze up when the pressure is on, says Bec McKeown, director of human science at cybersecurity training platform Immersive Labs.\u201cYou may have a crisis playbook and crisis policies and you may assume those are the first things you\u2019ll reach for during an incident. But that\u2019s not always the case, because the way your brain works isn\u2019t just fight or flight. It\u2019s fight, flight, or freeze,\u201d she says. \u201cI\u2019ve heard people say, \u2018We knew how to respond to a crisis, but we didn\u2019t know what to do when it actually happened.\u2019\u201dMcKeown is a psychologist whose research into high-risk\/high-stakes industries has given her perspective on how humans react during crises. Her take isn\u2019t merely theoretical. Security chiefs say they, too, have seen teams become paralyzed when responding to real incidents\u2014including teams that had drilled for such events.Problems mount when a team freezesA delay in response, even if it\u2019s only a few hours, can give bad actors more time to inflict damage and extend recovery time. It can also lead to increased response costs, possibly higher regulatory fines, and lost business.Given the potential for such reactions, McKeown, analysts, and longtime CISOs say security leaders should anticipate that freeze response, incorporate practices to help minimize the chances of it happening, and develop strategies to identify and cope with it if it does indeed occur during an actual security event.\u201cYou have to understand how you\u2019re going to react in these times of crisis. You can develop skills in your people that can make them agile and help them react when they don\u2019t have all the situational awareness. It\u2019s a psychological preparation,\u201d McKeown says.How and why teams become paralyzedCISOs shouldn\u2019t be surprised to hear that even well-prepared teams can have moments of paralysis; it\u2019s just human nature, McKeown says.She says sometimes responders may experience cognitive narrowing, where they\u2019re so focused on the situation directly in front of them that they can\u2019t consider the full circumstances\u2014an experience that can stop responders from thinking as they normally would.Niel Harper, an enterprise cybersecurity leader who serves as a board director with the governance association ISACA, witnessed a team freeze in response to a ransomware attack on his first day working with a company as an advisor. \u201cThey literally did not know what to do, even though they had some experience with [incident response] walkthroughs,\u201d he recalls. \u201cThey were in panic mode.\u201dHarper says he has seen other situations where the response was stymied and thus delayed. In some cases, teams were afraid that they\u2019d be seen as overreacting. In others, they were paralyzed with the fear of being blamed. And in still other incidents there were no team members who had experienced and worked through a real-world event, leaving no one who felt confident to lead. \u201cAll those issues, alone or combined, can lead to organizational freeze,\u201d Harper says.Chris Hughes, an adjunct professor with the School of Cybersecurity & Information Technology at the University of Maryland Global Campus, says he, too, has seen such a situation play out. He was working with a security team in a government agency that identified suspicious traffic, confirmed it as malicious and then\u2014boom\u2014hit a roadblock that stopped them from taking action.The bystander effect\u201cIt was a little bit of the bystander effect. They were assuming or hoping that a teammate would jump in and take a lead on this thing. And no one really did; no one was stepping up,\u201d Hughes says. It took a senior leader coming in \u201cto jolt them out of their shock.\u201dOn the other hand, experienced security chiefs say sometimes it\u2019s executives who freeze, stuck in the feeling of \u201cthis can\u2019t be true\u201d and \u201cthis can\u2019t happen to us\u201d before becoming convinced over time that it\u2019s real. \u201cThese freeze moments often happen when there\u2019s a lot of fear\u2014fear regarding how bad it is, how much it could hurt [the organization]\u2014and when there\u2019s a lot of uncertainty,\u201d says Ed Skoudis, president of the SANS Technology Institute. \u201cThere\u2019s all this information coming in, but teams don\u2019t know what\u2019s real or what\u2019s not and what\u2019s the best way to go. There\u2019s a lot of doubt. And when there\u2019s fear, uncertainty, doubt, or all three, it\u2019s crippling. And it happens a lot, where organizations just don\u2019t know how to proceed.\u201dNorman Kromberg, CISO of cybersecurity services firm NetSPI, has seen a team \u201cget to a point where things have stopped.\u201d He was a security leader at a company that declared an incident when malicious insider activity had been uncovered. His team had been working \u201cfull speed, all hands on deck\u201d for nearly two weeks in response, with law enforcement, forensic experts, accountants, and the cyber insurance company also pitching in. Then his team hit a wall and couldn\u2019t break through; they weren\u2019t making any progress.\u201cI could hear on the status calls that they were snarly, short with each other,\u201d Kromberg says, explaining that he believed the fatigue and pressure had his team in a holding pattern. \u201cWe weren\u2019t able to advance the recovery process.\u201dHow not to freezeWhen he saw his team stuck and deduced the reasons why, Kromberg told everyone to go home. \u201cWe were at a point where we could take that weekend off, and that included not just our team but the vendors, legal and law enforcement, too. We took the time off and we came back Monday and came back refreshed,\u201d he says, adding that the responders were able to quickly move forward as a result.He says that experience has taught him to plan for such moments in the future. He and others say CISOs everywhere should do the same, noting that they can incorporate various drills to help minimize the likelihood of teams becoming paralyzed.First, ensure the basics. \u201cCISOs can take a variety of steps to help prevent teams from going into freeze mode by developing incident response plans, training incident response teams, regularly simulating incidents, encouraging open communication, having a transparent chain of command, and having a precise risk management and incident management strategy,\u201d says Philip Chan, an adjunct professor with the School of Cybersecurity & Information Technology at the University of Maryland Global Campus.Security experts say CISOs should next examine their drills (which, of course, they should have and run regularly) and add elements that can help their teams better prepare for real events.Prepare for the unexpected\u201cBring up several new things that aren\u2019t in your playbook,\u201d McKeown says. That may mean having a worker deliberately make a wrong move\u2014for example, one which completely shuts down a critical system\u2014during the drill so the team can practice working through the unexpected or a devolving situation. Such practice, McKeown adds, builds agility and teamwork, which can help head off the finger-pointing and arguing that often arise during crises, locking up teams and hindering their ability to move forward fast.Kromberg says he once held an unannounced drill after a midday Friday holiday party. He was aware hackers know to plan their attacks when corporations may be the most vulnerable, so he wanted his team to practice for such a circumstance. In this case, he says the team had to learn how to quickly shift into high gear and work without key people who had already headed out on vacation.McKeown, Kromberg, and others say CISOs and their security teams also gain muscle memory by holding practice drills that mirror real events as much as possible. That means starting from the beginning\u2014such as the earliest warnings\u2014and running the scenario through with hands-on simulations (versus a tabletop or walk-through type of training session).\u201cIt\u2019s more palpable when you get hands on keyboards, where you go through the actual motions,\u201d says Hughes, who is also co-founder and CISO of Aquia, a firm specializing in cloud and cybersecurity professional services.Use a countdown clock during drillsSkoudis says he has used a countdown clock during drills, which also gets teams used to working under the intense pressure they\u2019d feel in an actual incident. \u201cIt\u2019s awkward but you want practice being in that place so you\u2019re building that muscle memory,\u201d he says.Others also advise CISOs to try to involve as many of the enterprise executives, other departments, and outside support that would be working in tandem with security, IT, and incident response to determine whether those additional participants would be the ones to become paralyzed. \u201cYou may see other areas where things could freeze up, like if a CEO will [balk] at talking about financial information that\u2019s needed during an incident,\u201d Kromberg says.CISOs should also consider how in a real crisis they can create channels for workers to bring forward solutions, says Thomas Randall, advisory director at Info-Tech Research Group and its SoftwareReviews division.Randall notes that science has found humans don\u2019t just respond to crises with flight or flight, they respond with fight, flight, freeze, or fawn (when people become overly helpful)\u2014with the fawn response adding calm and possibly creative solutions to the crisis. \u201cSo, make sure colleagues feel comfortable enough to suggest a solution even in a stressful situation,\u201d Randall says.Allow for creative solutionsTeams may not have a lot of time to contemplate ideas during an actual incident, Randall adds, but it\u2019s nonetheless important to have some conduit for offering and evaluating them on the fly, as those creative solutions may be the ones to lead teams up and over the roadblocks that get them locked up.Another step CISOs can take to help avoid those freeze-up moments: Hire workers who have experience working through breaches and hacks and\/or contract with outside incident response teams who do this work regularly.Harper says security chiefs shouldn\u2019t underestimate the value of such experience; he says those who have worked through crises develop muscle memory that keeps them calm and let them shepherd others through the stickiest parts that stump inexperienced workers.