CISOs who have survived major cyber incidents recommend letting company ethos guide incident response.