Cyber crisis management: why the exercise matters more than the binder

The day the attack comes, the value of your crisis capability is not measured by the thickness of its documentation. Picture servers encrypted at 3 a.m., or an exfiltration discovered on a Friday evening. In reality, everything hinges on one question: has your cell already lived through this in an exercise? Here is why training makes the difference in cyber crisis management, and how to go about it.

What makes a cyber crisis particular

A cyber crisis combines three difficulties rarely found together elsewhere. First, uncertainty. For hours, sometimes days, you know neither the extent of the compromise nor whether the attacker is still inside. Second, tooling. The crisis hits precisely the tools used to manage it, email included. Hence the need for out-of-band communication channels, prepared in advance. Third, the regulatory clock. NIS2 and DORA impose notifications within 24 and 72 hours, and personal data breaches within 72 hours. Yet these deadlines fall during the fog, not after it.

The cyber crisis management capability that works

You first need a named crisis cell with distinct roles. A crisis director decides. A coordinator keeps the log and the tempo. Business, IT, legal and communication leads complete the team. Next come short reflex sheets per scenario: ransomware, data leak, major outage. They beat an 80-page plan. You also need an up-to-date crisis directory, accessible outside the IT environment. Finally, explicit activation thresholds. Indeed, the worst decision is the one taken too late, for lack of having defined when to switch to crisis mode.

The exercise: where everything is decided

One exercise a year is a minimum. Vary the formats: tabletop for the decision cell, technical simulation for the IT teams, and from time to time a surprise exercise. Above all, scenarios must hurt where it counts: compromised backups, an unreachable executive, a journalist calling before the cell has even convened. Thus, every exercise produces a documented debrief, with corrective actions tracked to closure, exactly like an audit. That is, incidentally, what ISO 22301 requires.

Cyber crisis management: the takeaway

Cyber crisis management is a team skill, and skills are trained. The binder documents, the exercise prepares. Thus, when the day comes, the cell’s muscle memory makes the difference between a managed crisis and an endured one.

Has your crisis cell ever broken a sweat in an exercise? See the continuity and crisis management practice or let’s talk about your situation.
Share this article
Link copied