← Insights

What to Do in the First 24 Hours of a Corporate Security Crisis

By Kenneth Wilson · Wilson Global Protection Group

The First Hour Is the Most Expensive

When a corporate security incident breaks, the instinct in most organizations is to manage the information. Who knows? What do we say? Who gets notified first? That instinct — however natural — is the wrong frame, and acting on it in the first sixty minutes is how manageable situations become catastrophic ones.

The pattern is consistent across incident types: most crises aren’t unsurvivable because of what happened. They’re unsurvivable because of what the response looked like in the first hour. Legal exposure solidifies when statements are made before facts are verified. Reputational damage compounds when communication is inconsistent across stakeholders. Principal safety deteriorates when physical security is treated as secondary to messaging. And once those dynamics are in motion, they accelerate.

The first hour is expensive not because corporate security crises are inherently unmanageable — but because the decisions made in that window carry the longest tail. Response quality at minute five predicts outcomes at hour forty-eight. Every organization thinks this is a problem for someone else until it isn’t.

Establish Command, Not Chaos

The single most common failure in corporate crisis response is the absence of a clear command authority. In organizations without dedicated executive protection infrastructure, crisis ownership defaults to whoever is loudest, whoever is most senior in the room, or whoever picks up the phone first. None of those criteria produce effective crisis management under pressure.

A dedicated EP team establishes command structure before any incident occurs. There is no ambiguity about who leads the protective response, who manages internal communications, who interfaces with law enforcement, and who controls access to the principal during an active threat. That structure is documented, rehearsed, and understood by every person who will be expected to activate it. Our crisis management services are built around designing exactly that architecture for corporate clients before they need it.

The difference between a controlled crisis and a cascading one is typically fifteen minutes. In a cascading crisis, the first fifteen minutes are consumed by determining who is in charge. In a controlled one, that decision was made months earlier — and the first fifteen minutes are operational.

Secure the Principal First, Then Communicate

Order of operations matters. Under pressure, most organizations invert it.

The correct sequence when a corporate security incident involves a principal: physical security first, then medical triage if warranted, then family notification, then corporate communications. Every step in that sequence has a logic. Physical security because an unresolved threat remains a threat regardless of what the communications team is drafting. Medical triage because time-sensitive injuries do not wait for approval chains. Family notification because principals expect it, and the absence of it creates compounding distress during an already difficult situation. Corporate communications last — because everything the communications team says should be verified, and none of it should be said before the principal is secure.

The pressure to communicate early — from boards, from general counsel, from incoming media inquiries — is real. It is also not a reason to speak before the situation is controlled. An EP team’s job is to hold that sequence against external pressure. That is often the hardest part of the work, and it is not optional.

The Information Problem

In the first twenty-four hours of a corporate security incident, you will not have complete information. You will have fragments, conflicting reports, assessments that turn out to be wrong, and sources with incomplete situational awareness. That is not a failure of your intelligence infrastructure — it is a property of every real incident. Expecting complete information before acting is not discipline; it is paralysis.

The question is not how to have complete information. The question is how to make accurate decisions with incomplete information while holding the door open to update those decisions as the picture clarifies. EP professionals apply a consistent operating principle for information triage: act only on what is verified, escalate immediately what is credible but unverified, and hold everything else until it resolves. The category that demands the most discipline is “credible but unverified” — it is where premature action and premature dismissal both cause damage.

A security risk assessment conducted before an incident is the best preparation for this problem. Organizations that have mapped their threat environment in advance — key adversaries, likely attack vectors, the relationships and travel patterns that create exposure — are better positioned to evaluate incoming information against a baseline. Organizations with no prior assessment are evaluating everything against nothing, which slows every decision in the first critical hours.

Working with Law Enforcement

A corporate EP team and law enforcement are not the same function, and they should not try to be. Law enforcement investigates, detains, charges, and maintains public order. An EP team protects the principal and manages the client’s operational and reputational continuity during and after an incident. These missions are complementary — but they are not identical, and treating them as identical creates friction at exactly the moment when friction is most costly.

Effective coordination means parallel operation: the EP team maintains its protective posture independent of law enforcement timelines, and law enforcement receives the cooperation it needs without being handed the client’s internal communications architecture or crisis response decisions. Information flows in directions that serve both functions. Media contact stays clearly assigned — law enforcement handles public statements about the incident; the EP team does not.

For New York-based operations and corporate environments with established law enforcement relationships, these protocols can be pre-built. Cold introductions made during an active incident are slower and more error-prone than relationships established in advance. A professional EP provider should already know who to call and how to operate alongside them.

The Post-Incident Window: Hours 12–24

When the immediate threat is neutralized, the work is not over. The post-incident window is where incidents that appear resolved resurface — at hour 72, at the next board meeting, in the litigation that follows eighteen months later.

Evidence preservation comes first, before any cleanup, any room resets, or any modification to the environment where the incident occurred. The sequence of events matters for law enforcement, for legal counsel, and for the security audit that must follow. After preservation comes the internal debrief: every member of the detail gives an unedited account of what they observed and what decisions they made, in sequence. Client communication — clear, factual, without attribution of blame — happens next.

The security audit must occur before returning to normal operations. Every incident reveals a gap — in advance work, in access control, in communications protocols, in how the detail performed under pressure. That gap closes only if it is identified and addressed directly. Organizations that bypass the post-incident audit are the ones that face hour-72 resurgences: the access credential that was never revoked, the threat actor who was dismissed at hour 6 and returned at hour 48, the route compromise no one documented. The audit is not administrative overhead — it is the mechanism that converts an incident into institutional learning.

Why Pre-Incident Planning Is the Real Answer

Everything described in this article is teachable. None of it is improvised effectively under pressure by people who have never done it before.

Organizations that execute well in the first hour of a corporate security crisis are the ones that walked through this exact scenario before it was real. They know who owns the response. They have a command structure with names attached to roles. Their EP team has rehearsed the order of operations. Their information triage protocol exists in writing, not in someone’s memory. Their law enforcement relationships are active, not theoretical.

Crisis response operationalizes through repetition, not through reading about it. If your organization has not run a structured tabletop exercise with a professional EP provider, that is the right first action — not because incidents are inevitable, but because response quality is entirely a function of preparation time. Our crisis management services include tabletop facilitation and crisis response architecture for corporate clients at every stage of security program maturity.

For the pre-incident framework that feeds into that planning, our framework for pre-incident risk assessment covers the six workstreams that surface exposure before it becomes an incident. If you are ready to run a crisis exercise or structure a formal response protocol for your organization, the scoping call is where that conversation starts.

Don’t Wait for an Incident

Build the Response Before You Need It

Book a $500 scoping call with Kenneth Wilson. In 60 minutes, you’ll have a clear picture of where your current crisis response protocol holds and where it breaks — and what a tabletop exercise with a professional EP provider looks like for your organization.

Book the $500 Scoping Call →

Kenneth Wilson · CPS · PPS · EPS · SPI · CPO · New York