Crisis Response for Startups: When It Goes Beyond Cyber
Most startup crisis plans are cyber-only: written by security, for security, assuming the systems stay up. Then a missile lands near your office. The fix is one inverted assumption, command first and cyber second, and three things you can do this week.

Most startup incident-response plans are written by the security team, for the security team. They assume the systems are up, the on-call engineer is reachable, and the worst thing that can happen today is a breach.
Then comes a crisis that has nothing to do with a computer. It is physical, it is fast, and it puts your people in real danger. And the plan you paid for, audited and framework-aligned, has nothing to say.
It is the most common structural failure I found building crisis plans for startups with people in the field, and it comes from one inverted assumption. Here is how to fix it.
Your security team wrote a plan for the systems. Nobody wrote one for the people.
The claim, stated plainly: for any company with people in a threat environment, life-safety command is the anchor and the cyber response is the add-on. Not the other way around.
You might think this only applies if you have people in obvious danger zones. It doesn’t. Even a fully remote, knowledge-work company has people, and people are exposed in ways a server never is. If anything the case is stronger when your risk concentrates in a few single-point-of-failure employees, the ones who hold the keys, the context, or the relationships nobody else has. The more your company depends on specific humans, the more an intelligence apparatus and a real crisis plan matter, because losing one of them, for any reason, is itself the incident.
Most teams build it backwards. They start from a cyber standard like NIST 800-61 or ISO 27035 and bolt physical and geopolitical response on afterward, usually a paragraph titled “Physical Security” that nobody has ever exercised. But a cyber framework cannot command an evacuation. It has no concept of life-safety, of logistics, or of who is legally responsible for the person on the ground. The structure that does is the Incident Command System, the same one FEMA and every US fire department use to run a disaster: one Incident Commander in charge, with operations, logistics, communications, and outside-agency liaison beneath them and life-safety as the overriding priority. The training is free, self-paced, and runs about two to three hours (FEMA’s IS-100 and IS-700), and it scales down, so at a forty-person company one person can own several roles at once. Your security program isn’t wasted. It just needs a better foundation: command on top, the cyber playbook underneath.
The keystone: a tripwire ladder
If you keep one page of this entire plan, keep this one.
Most plans list “decisions we will need to make” and stop there. They never define the thresholds that force the decision. So in the moment, under time pressure and on no sleep, one person has to both notice the situation has changed and decide what to do about it. That is exactly when human judgment fails. Aviation learned this the hard way: the crashes that produced Crew Resource Management in the 1970s happened because a junior officer would not challenge a captain who was wrong.
The fix is a posture ladder. GREEN, AMBER, RED, with the triggers decided in advance. You decide in calm, and you bind the panicked version of yourself six months from now. A few rules make it work:
- Score the threat and the response on two separate tracks. The likeliest disruption is not a strike on your office, it is infrastructure: power, connectivity, a closed border. Give it its own track.
- Each rung is a material condition, not a color. At AMBER, specific things are already done: coverage confirmed in force, a secondary connectivity path live, non-essential travel frozen. The posture is auditable, not aspirational.
- Anchor triggers to impact, not headlines. NATO’s Article 5 has been invoked exactly once in history, after 9/11, and commits no member to anything automatic. By the time a treaty-level event fires, you have been in crisis for weeks. Anchor instead to things you can measure: a strike within a defined radius, targeting of your sector, a regional infrastructure failure, an insurance clause flipping.
- Build a way back down. A ladder that only climbs is a one-way ratchet into expensive, exhausting, permanent high alert. Name how you stand down.
Each rung carries a named owner, a pre-approved budget, and an automatic trigger that fires without a re-vote. This page is your cold-start card: the one sheet you can hand a new hire mid-crisis so they act correctly in sixty seconds.
Push authority to the edge
A command chain that escalates up the org chart fails the instant the comms go dark. Invert it.
Give the person on the ground default-delegated authority. The country or site lead already holds the power to shelter, evacuate, and spend up to a cap. Headquarters can revoke or override; it does not need to grant. Sign that delegation in peacetime, with Legal and the CEO on it, so a blackout-day evacuation is pre-authorized rather than improvised over a satellite phone.
Pair it with distributed stop authority: any single team member can trigger shelter-and-escalate on their own, and a stop that turns out to be unnecessary is rewarded, never punished. A bad feeling is reason enough to take cover and raise the alarm; you can always stand back down. The US Navy runs its carrier flight decks this way. Any sailor, whatever their rank, can halt operations if they see a hazard. The cost of a false stop is trivial next to the cost of the warning nobody felt safe to raise.
Three more disciplines, briefly
A few load-bearing pieces the cyber-only plan skips. You will not run these yourself, but you should know to demand them.
- PACE every role and every channel. Primary, Alternate, Contingent, Emergency. “A person and a backup” fails when both are on the same plane. Your comms plan needs the same depth: collaboration tool, then SMS or an encrypted app, then an out-of-band call tree, then satellite. A different carrier at each step.
- Intelligence is a discipline, not a vibe. Open-source chatter, and a team member’s bad feeling on the ground, are your tripwire: fast, noisy, and that is exactly what they are for. A single weak signal is enough to step from GREEN to AMBER, where the moves are cheap and reversible. It is not enough, on its own, to trigger an expensive, irreversible call like an evacuation. That takes corroboration from paid feeds and on-the-ground contacts. The signal earns a higher posture; it does not get to spend the big money alone.
- Exercises are scored discovery, not theater. A tabletop with no executives in the room and nothing concrete to score against just manufactures confidence, which is the most dangerous output there is. The exercise’s job is to break the plan and find the date it expires, then turn every gap into a funded action item with an owner.
The part with your name on it
Every other section is about the company. This one is about you, personally. When someone gets hurt on a trip you authorized, the questions get sharp fast and they are about you: who was allowed to order the evacuation, which legal entity owed that person a duty of care, whether your home country’s liability law even reaches a death abroad (the UK’s Corporate Manslaughter Act, notably, does not). Resolve those facts cold, in writing, before you ever need them, put a rough dollar figure on the exposure, and bind your insurance before the threat is visible, because war-risk and political-violence coverage gets repriced or pulled the moment a region turns hot. NotPetya is the cautionary tale: when that malware tore through global companies in 2017, insurers denied the claims under “act of war” exclusions, and both Mondelez (a loss north of $100 million) and Merck (a roughly $1.4 billion fight through the New Jersey courts) found the hole in their coverage after the incident, the worst possible moment to find it.
The seven ways these plans fail
To make the whole design concrete, here are the failure modes it is built against:
- Assumption collapse. The plan assumes systems, comms, and people are all available. Real incidents break all three at once.
- Documentation-reality gap. It cites systems, routes, and clauses that quietly went stale.
- Decision-authority fracture. No single empowered commander. Security, IT, Legal, and Comms each act off their own queue.
- Exercise-reality disconnect. Tabletops build false confidence because the consequences are hypothetical.
- Ownership misalignment. Security owns the plan; the business owns the consequence and is not in the room.
- Insurance-exclusion blindness. Nobody read the war and cyber exclusions before the incident. See NotPetya, above.
- Multi-hazard scope failure. A cyber-only plan has no trigger for a simultaneous physical threat. And a single-country, single-provider concentration is a live structural wound, not a backlog item. When Russia invaded Ukraine in February 2022, conflict-exposed equities fell as much as 45 percent in a single trading session. Concentration is fine right up until the day it is catastrophic.
Where to start
You do not need a vendor or a budget to begin. This week:
- Stand up command. Name your Incident Commander and core roles, give every role a backup, and have the team complete the two free FEMA courses.
- Draft the tripwire ladder. One page. GREEN, AMBER, RED, impact-based triggers, the material conditions each rung requires, and a way back down. Then declare your current posture.
- Sign the delegation. Get the on-the-ground-authority statement signed by Legal and the CEO while everything is still calm.
Everything else, the quantification, the intel feeds, the insurance review, the first scored tabletop, builds on those three. A command structure, a one-page tripwire, and a signed delegation. That is already more than most companies have the morning the crisis actually starts.
And reading this is not the same as being prepared. Preparation is those three things, done, on a calendar, with names attached. A plan that lives only in your head loses to the one that is signed.
This is the short version. The full guide has the rest: the strategy, the build sequence, the templates, the gap-analysis instrument, and the worked checklists for every section above.
If your company has people in the field and you want to pressure-test your own plan, book a call with me. I am happy to talk it through and share the full guide. You can also reach me on X or LinkedIn.
Sources
- NIST SP 800-61 Rev. 3 (published 2025-04-03; Rev. 2 withdrawn the same day)
- FEMA NIMS / ICS components and FEMA IS-100.C
- NATO Article 5 (invoked once, after 9/11)
- Crew Resource Management origins
- High-reliability organizations and “deference to expertise” (the carrier “foul deck”)
- UK Corporate Manslaughter and Corporate Homicide Act 2007 (s.28 jurisdiction)
- NotPetya insurance litigation: Mondelez v. Zurich (settled Nov 2022) and Merck v. ACE American (2021 trial, 2023 appeal, 2024 settlement)
- Markets on the Russian invasion, Feb 24 2022 (conflict-exposed equities down ~45% intraday)