Playbooks Don’t Think. People Do.

·

Playbooks Don’t Think. People Do.

Security feels safest when everything is documented isn’t.

Procedures written.
Escalations mapped.
Controls defined.

It creates the illusion that risk is contained.

Until it is not.

During a live incident bridge some years ago, everything appeared controlled.

  • Alerts were triaged.
  • Containment actions were executed.
  • Escalations followed the documented path.

The team was performing exactly as trained.

And yet something felt incomplete.

No one and neither me at times paused to ask whether the activity truly matched the scenario described in the procedure. The playbook was being followed which is good but what I realised that the thinking was not evolving. In my opinion that distinction matters more than most organisations realise.

Why? Well because modern incidents rarely unfold exactly as documented.

The Comfort of Structure

I understand playbooks are essential as they create consistency, reduce operational chaos and provide clarity for analysts. They do help organisations scale.

Without structure, security becomes improvisation. But structure alone does not create resilience. A team trained only to execute steps may struggle when signals are subtle or when an incident sits between predefined categories.

Attackers do not align themselves to our documentation. They exploit assumptions. Structure gives us consistency. But consistency without curiosity quietly breeds risk.

When Small Decisions Become National Headlines

Consider the breach involving Optus.

Public reporting indicated that the compromise stemmed from an exposed API endpoint that did not require authentication. It was not a sophisticated exploit chain. It was a configuration oversight. Most organisations have documented configuration management processes. Risk registers exist. Access standards exist. Yet millions of customer records were exposed.

Large-scale cyber incidents often begin with small, overlooked decisions.

  • A setting left open.
  • A validation step assumed complete.
  • A risk accepted without challenge.

The documentation may have existed. But judgement did not intervene in time. When risk hides in ordinary settings, only proactive judgement prevents extraordinary impact.

The Illusion of Readiness

Many organisations measure readiness through:

  • Documented procedures
  • Defined severity matrices
  • Automation coverage
  • Mean time to respond

These metrics matter. But they measure procedural maturity, not cognitive maturity. A team can follow every step and still miss strategic risk.

The most dangerous incidents rarely look dramatic.They look routine. And routine is where complacency hides. Metrics can confirm activity, but they rarely confirm understanding.

Automation Is Not Accountability

In 2026, AI is embedded across security operations.

  • It enriches alerts.
  • It correlates telemetry.
  • It reduces noise.

But it does not own risk.

  • It does not interpret business consequence.
  • It does not decide when uncertainty justifies escalation.
  • It does not sit before regulators or boards.

People do. If organisations scale automation faster than they scale judgement, exposure grows quietly.

The tooling becomes advanced. The thinking remains average. Technology accelerates response. It does not assume responsibility.

Moving Forward: What Must Change in 2026 and Beyond

If playbooks are not enough, what is? The answer is not fewer processes. It is stronger decision capability. In my opinion, security leaders should focus on five priorities.

1. Train for Ambiguity, Not Just Scenarios

Most tabletop exercises simulate clean, defined events.

Real incidents are messy. In 2026 and beyond, organisations must run exercises where:

  • Information is incomplete.
  • Signals conflict.
  • Impact is uncertain.
  • Decisions must be made without clarity.

Judgement strengthens only under uncertainty. Confidence in ambiguity is what separates functional teams from resilient ones.

2. Measure Analytical Depth, Not Just Speed

Fast containment is valuable. But speed without understanding creates repeat exposure. Metrics should evolve to include:

  • Quality of root cause analysis.
  • Depth of hypothesis testing.
  • Post-incident learning maturity.
  • Evidence of challenged assumptions.

Resilience is built through insight, not velocity alone. Speed protects the moment. Insight protects the future.

3. Build Technical Curiosity Into Culture

Leaders must reward questioning. Analysts should feel safe to say:

  • This does not feel right.
  • This behaviour is unusual.
  • We need to look deeper.

Silencing curiosity in favour of efficiency weakens defence. Curiosity is not inefficiency. It is preventative defence.

4. Redefine Automation Strategy

Automation should:

  • Eliminate repetitive work.
  • Provide enriched context.
  • Highlight anomalies.

It should not:

  • Replace critical thinking.
  • Mask uncertainty.
  • Create blind confidence.

Automation must amplify judgement, not substitute it. Tools should reduce friction, not reduce thinking.

5. Develop Risk Translators

Security maturity is not just technical capability. It is the ability to translate weak technical signals into business risk language. In 2026, the strongest security leaders (me included) will be those who can:

  • Detect subtle anomalies.
  • Assess business impact rapidly.
  • Communicate uncertainty clearly.
  • Enable informed executive decisions.

That is not procedural skill. That is leadership capability. The strongest security leaders are those who can convert weak signals into decisive action.

The Real Shift

Playbooks are foundational. But resilience lives in people.

Large incidents do not occur because documentation is absent. They occur because judgement is underdeveloped, assumptions go unchallenged, and small decisions are not scrutinised deeply enough.

Security in the coming years will not be defined by who has the most automation. It will be defined by who builds the strongest decision-makers.

Playbooks create operational stability. People create strategic resilience.

And resilience is what security leadership is ultimately accountable for. In the end, security is not defined by the documents we write, but by the decisions we are willing to make.

Because cybersecurity isn’t just a practice. It is a reflection of character.

Leave a comment

Latest Articles