I learned an unexpected lesson about incident response and crisis management last weekend. It came from my family and a clogged toilet.

I was woken up around 12:30am by my youngest daughter. She was panicked. She told me my son and his friend didn’t know what they were doing and couldn’t resolve a serious situation, the toilet was clogged and overflowing.

Still groggy, I followed her downstairs.

Water was everywhere in the first floor bathroom. And there was my son looking exacerbated in his pajama pants, snow boots and plunger in hand. Worse, water had already seeped through the floor and into the basement below. As I evaluated the situation, I could see standing water around the heating system, the hot water heater and all the electrical components. Dollar signs were flashing in my head. This was the kind of situation where every additional minute mattered.

My son, his friend, and my daughter had been trying to fix it. They were actively working the issue, but failing.

This is not a story about incapable people.

All three of them are smart, capable, and thoughtful. But they had never faced this exact situation before. The solutions they knew didn’t work and the problem continued to get worse.

They had tried plunging the toilet. We have plenty of plungers in the house, including a very good one that fits the toilet properly. My son knew to use that one. His friend had tried flushing repeatedly, because that’s what worked in his house when a toilet clogged. Unfortunately, every plunge temporarily lowered the tank reservoir, which caused more water to refill and spill over. Their attempts to fix the problem were actively making it worse.

When I walked in, I was angry.

I was angry about being woken up in the middle of the night. I had work the next day. I was angry they were up so late. I was angry the toilet was clogged in the first place. I was worried and angry about the water damage and the potential cost of repairs. It was school vacation, so the house was full of kids with nowhere to be in the morning, which somehow made everything feel worse.

I’m the “clogged toilet fixer” in our house. That’s my role. And in that moment, I realized something uncomfortable. I had never actually trained my family on how to handle this.

They knew the basics. Get a plunger. Use the right one. Try to clear the clog. But they’d never practiced. They’d never thought through the whole system. They didn’t understand all the inputs and outputs involved.

Technically, the problem wasn’t complicated.

Water was coming into the toilet and not leaving through the drain. With nowhere else to go, it spilled onto the floor. There were complicating factors, including the obvious disgustingness of the situation, which makes decision making harder. And their attempts to fix it were unintentionally increasing the input.

But this wasn’t an unsolvable problem for three capable people. And yet, as the situation unfolded, they were stuck.

This is exactly what happens in most IT and cybersecurity incidents.

The technical problem itself is often not that complex. Organizations struggle because they’re unpracticed, panicked, and unfamiliar with the situation. People lose the ability to calmly reason through what’s actually happening. Inputs and outputs blur together. Time is lost while damage continues.

In our toilet crisis, the first thing that needed to happen was to stop the input.

Turning off the water to the toilet immediately stopped the situation from getting worse. Once no new water was entering the system, we could focus on stabilizing the environment. We mopped up water in the bathroom and the basement. We cleared water away from electrical and heating components. We reduced the risk of additional damage.

Only after the situation was stabilized did we focus on fixing the root problem, the clog itself.

With the water turned off, plunging the toilet became effective. No chaos. No overflow. The drain cleared, the water was restored, and the crisis ended.

This same pattern applies to IT and cybersecurity incidents.

Teams often rush straight to “fixing” without stopping the bleeding. They don’t pause to identify where data, traffic, access, or actions are entering the system. They don’t isolate systems. They don’t stabilize the environment. In many cases, their well-intentioned actions make things worse.

This is often compounded by the fact that basic planning hasn’t been done. There’s no clear inventory of systems, no shared understanding of how things connect and no practiced response that helps people stay calm under pressure.

Incident response is not about heroics. It’s about understanding the system, knowing where inputs and outputs exist, and stopping the things that cause damage before trying to repair what’s broken.

If you’re lucky, sometimes these types of lessons come from a tabletop exercise. If you’re not, sometimes they come at 12:30am, standing barefoot in a flooded bathroom, realizing that knowing how to plunge a toilet is not the same as knowing how to manage a crisis.