The fastest way to find out whether a company has real cybersecurity is very simple.

Ask three questions.

1. Who decides in the first 30 minutes of an incident?

Not theoretically.

A concrete name.

Someone has to decide when information is incomplete, pressure is high and every minute changes the impact.

If the answer is “IT will handle it”, that is not enough.

IT can investigate. IT can contain. IT can recommend.

But someone must have the authority to decide.

2. Who communicates externally?

Customers.

Partners.

Media.

Regulators, if needed.

Communication during an incident is not only about writing a message. It is about deciding what can be said, when it should be said, who approves it and how the company avoids making the situation worse.

If nobody owns external communication, silence becomes the default.

And silence during an incident is rarely neutral.

3. Who owns responsibility for the impact?

Not IT.

Not “the team”.

A concrete person.

Because the impact of an incident is not only technical.

It affects customers, production, contracts, reputation, legal obligations and business continuity.

That means responsibility cannot disappear into a generic group.

Someone must own the business impact.

If you cannot answer immediately

If your company cannot answer these three questions immediately, then it does not have real cybersecurity.

It has the assumption of a problem.

Most companies have:

  • tools,
  • documentation,
  • audits.

But they do not have:

  • decision-making,
  • responsibility,
  • preparedness.

And that is exactly what decides the outcome.

Not technology alone.

The real test

Cybersecurity is not proven by saying that a company has a firewall, monitoring, backups or a policy.

Those things matter, but they are not enough.

The real test is what happens in the first minutes of a real incident.

Who decides?

Who communicates?

Who carries responsibility?

If those answers are clear before the incident, the company has a chance to manage the situation.

If those answers are discovered during the incident, the company is already late.

So the question is simple:

Could you answer these three questions in your company without thinking?