Crisis Management Team (CMT) Roles: Who Does What?

In a real crisis, unclear ownership burns the first hours: duplicate commands, missed legal holds, or comms flying before facts exist. Tabletops exist partly to rehearse who decides what before adrenaline does it for you.

Below is a concise map of common CMT roles in cyber exercises. Use it to assign seats before the first inject—not when everyone is already talking at once.

Reference visuals below match role cards used in our exercise UI.

1. The Board of Directors

Primary Responsibility: Governance, Risk Oversight, and Strategic Guidance.

The Board isn't there to manage the incident. They are there to ensure the business survives it. In a tabletop exercise, the Board representative (or the person playing them) should focus on:

• Risk Tolerance: Defining what is an acceptable loss.
• Fiduciary Duty: Ensuring decisions protect shareholder value and the organization's long-term viability.
• Executive Support: Empowering the CEO to act.

Key Question: "Does this response align with our corporate values and risk appetite?"

2. Chief Executive Officer (CEO)

Primary Responsibility: Ultimate Decision Authority and Public Face.

The CEO is the captain. They don't steer the ship, but they set the course. They are responsible for:

• Final Calls: Making the hard decisions when consensus fails (e.g., "Do we pay the ransom?").
• Business Continuity: Deciding when to trigger BCP/DR plans.
• Stakeholder Management: Managing key relationships (Board, major investors, key partners).

Key Question: "What is the business impact of this decision?"

3. Chief Information Security Officer (CISO)

Primary Responsibility: Incident command, technical assessment, and containment strategy.

The CISO creates the reality for the rest of the CMT. They translate technical gibberish into business risk. Their duties:

• Situation Report: Telling the CMT what is happening, what is impacted, and what is at risk.
• Containment & Eradication: Leading the technical response to stop the bleeding.
• Forensics: Preserving evidence and determining the root cause.

Key Question: "How do we contain this while minimizing business disruption?"

4. Chief Financial Officer (CFO)

Primary Responsibility: Financial Impact Analysis, Funding, and Insurance.

Cyber incidents are expensive. The CFO manages the money. In an exercise, they should:

• Budget Approval: Authorizing emergency spending for IR firms, hardware, or overtime.
• Ransom Payment: Managing the mechanics and financial implications of a potential payment (if legal).
• Insurance: Coordinating with the cyber insurance carrier and understanding coverage limits.
• Regulatory Filings: Handling financial disclosures (e.g., SEC 8-K).

Key Question: "What is the financial exposure, and do we have the liquidity to handle it?"

5. Legal Counsel

Primary Responsibility: Liability Management, Regulatory Compliance, and Privilege.

Legal is the guardrail. They ensure the response doesn't create more problems than the attack itself.

• Privilege: Establishing Attorney-Client Privilege for incident communications.
• Notification: Determining who must be notified (regulators, victims) and when, based on laws (GDPR, HIPAA, state breach laws).
• Liability: Advising on the legal risks of decisions (e.g., paying a sanctioned entity).
• Contract Review: Reviewing vendor contracts for breach clauses.

Key Question: "What are our legal obligations, and how do we minimize liability?"

6. Communications & Public Relations

Primary Responsibility: Reputation Management, Internal/External Messaging.

The narrative can be more damaging than the hack. PR controls the story.

• Internal Comms: keeping employees informed without causing panic.
• External Comms: Drafting statements for the media, customers, and partners.
• Media Monitoring: Watching social media and news for leaks or rumors.
• Spokesperson Prep: Preparing the CEO or designated spokesperson for interviews.

Key Question: "If this headlines tomorrow, how does our statement read?"

7. External Stakeholders

Primary Responsibility: Support, Enforcement, and Partnership.

These aren't internal employees, but they are critical players in the room (or on the phone).

• Regulators: CISA, FBI, SEC, HHS, etc.
• Law Enforcement: Local FBI field office or cyber task force.
• Partners/Vendors: MSPs, SaaS providers, or supply chain partners.
• Cyber Insurance: Breach coach and claims adjusters.

Key Question: "Who outside the organization needs to know, and what help can they provide?"

---

Before you start the clock

Clarity beats headcount. Better eight people who know their lane than fifteen improvising each other's jobs. Agree on who speaks for technical truth, legal risk, money, and narrative before the scenario starts.

Related Reading

• Executive Cyber Crisis Drill: Board-Ready Simulation Guide — how to structure a drill where these CMT roles actually get tested.
• Executive Cyber Drill vs. Technical Incident Response — why CMT seats and SOC seats shouldn't share the same session.
• Incident Response Tabletop Exercise: Complete Guide — the broader IR tabletop format these roles plug into.
• How to Run Your First Cyber Tabletop Exercise — end-to-end prep if this is your first time seating a CMT.

Builder · Library · IR teams · IT leaders · Pricing