"The pair recommended extensive rehearsal for recoveries"
I remember once when supposedly in charge of infosec for an international corporation, reporting problems with their incident response planning. Not least, the only testing they performed was to have an annual session with the executive led by an outsider consultant who talked them through an elementary scenario (on the occasion in question -- evacuating the HQ and continuing office work if a wartime UXB had been discovered nearby), all from the comfort of the boardroom. I suggested that there should be unannounced live exercises and that confusion should be intentionally injected into the scenario to simulate real conditions. They rejected both, on the grounds that they would be 'unpopular' with staff. There were numerous other deficiencies with their incident response, but they were essentially moot given the total unpreparedness of the organisation to respond with any semblance of speed or focus to anything they hadn't already anticipated (and they hadn't anticipated anything close to the realities of actual incidents).