Cybersecurity GRC · Cyber Crisis Management

On the day of the attack, the binder
doesn't answer the phone. Your cell does.

What keeps an attacked organization standing is not the thickness of its documentation: it is a trained cell, clear roles and reflexes acquired through exercises. I build your cyber crisis capability, and I train it.

The engagement

What the mission covers.

Crisis capability

A named cell with distinct roles (crisis direction, coordination, business, IT, legal, communication), explicit activation thresholds, a crisis directory and out-of-band communication channels.

Per-scenario reflex sheets

Ransomware, data leak, major outage, email compromise: short, actionable sheets rather than an 80-page plan no one will open under stress.

Exercises and training

An annual program of tabletop exercises and simulations, scenarios that hurt where it counts, documented debriefs and corrective actions tracked to closure.

Regulatory notification built in

NIS2, DORA and GDPR notification processes ready to trigger: declaration templates, designated owners, 24-hour and 72-hour deadlines held even in the fog.

The approach

Taught at Master's level, proven in the crisis room.

I teach cyber crisis management in a Master's cybersecurity program, and I apply it in the field, notably in M&A contexts where the crisis strikes an organization in mid-transformation: a cell to rebuild between seller and buyer, shifting responsibilities, maximum exposure. The capability articulates naturally with business continuity: the crisis is managed, the business continues.

The value of a crisis capability is measured by the date of its last exercise. If yours is over a year old, you already know your first priority.
Frequently asked questions

What I get asked about crisis management.

What should the capability contain?

A named crisis cell with distinct roles, short per-scenario reflex sheets, out-of-band communication channels, a crisis directory accessible outside the IT environment, and explicit activation thresholds. And above all, an exercise program.

What does an exercise look like?

A realistic scenario played in near-real conditions: tabletop for the decision cell, technical simulation for the IT teams, injections of unexpected events. Every exercise produces a documented debrief with corrective actions tracked to closure.

How does it articulate with NIS2 and DORA?

These regulations impose incident notifications within 24 and 72 hours, which fall during the crisis, not after it. The notification process must be built into the capability, prepared and tested in exercises, with declaration templates ready to use.

Has your crisis cell ever broken a sweat?

One 30-minute call and you know where your capability stands and which exercise to start with.

Book a qualification call

First call free, no commitment. See also the Cybersecurity GRC page.