I’ve given a lot of executive briefings during active ransomware incidents. Early in my career, I led with what I knew best — the malware family, the TTPs, the attribution confidence level, the affected systems. Executives would listen politely and then ask the questions they were going to ask anyway: Can we still process payroll? Will this trigger our SEC disclosure obligation? Who do I call? I learned to stop making them wait for those answers.
Executives in a ransomware incident need three things, in this order. First: operational status — can the business continue to function, and for how long? Second: bounded worst case — what’s the maximum credible damage to revenue, reputation, and regulatory standing if this goes badly? Third: the next owned decision — what do they personally need to decide, and by when, to keep options open? Threat intelligence is the supporting evidence for those three answers. It is not the briefing itself.
The mental model shift for technical leaders is counterintuitive: you have to work backward from the executive’s decision, not forward from the technical finding. The same set of facts about a Cobalt Strike beacon looks completely different depending on whether the question is “do we activate our cyber insurance” or “do we disclose to the SEC within four days.” Different question, different framing, different technical details worth surfacing. Figure out which decision is on the table before you walk into the room.
The thing that took me longest to learn: in an active incident, the executive’s job is to make good decisions under uncertainty, not to understand the technical situation fully. Your job is to give them the best possible input for those decisions, not to educate them on the threat landscape. Those are different jobs. When you confuse them — when you spend twenty minutes explaining how the ransomware’s encryption scheme works — you’re serving your own need to be understood, not their need to make a call. The briefing that ends with a clear decision is the successful one. Everything else is interesting.