Cyber crisis management exercise: an essential step

Article from Global Security Magazine.

The question is no longer IF you will be affected by a crisis, but WHEN you will be.

Published in issue 48 of Global Security Magazine, our article is also available in full below. In it, we share our advice and our vision of crisis exercises, an essential step in effective crisis management preparation.

The question is no longer IF you will be affected by a crisis, but WHEN you will be. This phrase, which has almost become a popular saying, is on the minds of risk managers, communications directors and CISOs (Chief Information Security Officers) in their offices.

Companies affected by crises are no longer isolated cases. The extreme sensitivity of public opinion, the importance of reputation, the emergence of fake news, tougher regulations and geopolitical tensions partly explain the increase in the number of crises. But the media coverage and multiplicity of crises are matched only by their complexity and intensity.

Faced with these exceptional situations, which put pressure on the organisation and distract it from its priority missions, leaders must make decisions within increasingly tight deadlines, while being plunged into the unknown. The common denominator in all crises is UNCERTAINTY.

An exhibition on business growth

Digitalisation, compliance and the GDPR enable us to accelerate and secure our business, but they also expose our companies to new threats. While organisations are becoming less vulnerable in many ways, the attack surface is increasing with the emergence of these new areas.

Consider, for example, a company’s reputation. Thanks to social media, an organisation can quickly build its reputation and gain visibility. Positive comments and engagement from followers help build its reputation, making it seem friendly and approachable. A powerful selling point, a company’s reputation involves many internal functions, which watch over it like a hawk. But the growth of a company’s reputation is inversely proportional to its fragility, because while it allows it to quickly gain consumer preference, it also makes it particularly vulnerable: ‘It takes 20 years to build a reputation and five minutes to ruin it’ (Warren Buffett). This is a paradox that certain activists and advocates have understood well and exploited, with social media offering them an infinite platform for expression. In the confrontation that sometimes arises between certain organisations and their consumers or detractors, reputation can be used as a tool to restore or even reverse the balance of power. What better way to get a company, politician or local authority to listen than to cast a dark shadow over their image by threatening to publish shocking images or disturbing reports? It is worth noting here that the veracity of the published material is irrelevant, especially when we know that ‘fake news’ spreads six times faster ^[1] than accurate information.

Increasingly intense situations

In times of turmoil, leaders are forced to make urgent decisions about what operational response to take (or not to take), what strategy to adopt to manage the event, and what internal and external resources to mobilise. Unlike a few years ago, they no longer have significant time to react calmly after analysing the information at their disposal.

The advent of social media has put crisis management under the spotlight of instantaneity. As a result, organisations often begin their crisis management in response to a tweet, a call from a journalist or a consumer, rather than being the bearers of the news themselves. The precious minutes between the announcement of the crisis and the first decisions to be made can be counted on one hand and must be used wisely.

The crisis management system and mobilisation procedures must, of course, be defined in advance: it is not on the day of the event that you should be wondering about the resources to be deployed and how to contact your employees. Once these theoretical elements are in place, regular crisis exercises will enable the organisation to become more effective and make good use of the few minutes it has to develop a response and take the first precautionary measures. Just as an orchestra rehearses its score until it has mastered it, the company and the members of the crisis unit must train so that the system runs smoothly and efficiently.

Crisis management exercises also give participants the opportunity to confront an underestimated dimension: the test of time. While crisis management was often a short-term event, it can now last for several days. The media and internal pressure that regularly accompanies this type of event often causes a ‘crisis within a crisis’, generating successive twists and turns.

The intense pressure experienced by the company at the height of the crisis makes the ordeal particularly trying. Experiencing the intensity of such an episode first-hand helps to limit the state of shock that can sometimes affect those involved in managing the event, tests the team’s cohesion and provides a better understanding of one’s personal capabilities in such situations.

From two-hour tabletop exercises to real-time exercises lasting 24 hours or more: scenarios to be calibrated according to the stakes involved.

Before any exercise, specific objectives must be set. Is the aim to test the effectiveness of the mobilisation system? To fine-tune the use of the tools available? To manage coordination between several crisis units? To trigger the BCP (Business Continuity Plan) or DRP (Disaster Recovery Plan)?

A crisis exercise is by no means an off-the-shelf product that can be reused at will, but rather a project in its own right, requiring knowledge of the company for which the exercise is being conducted, as well as a thorough understanding of its organisational chart, specific characteristics and codes. It is through attention to detail that the exercise will be realistic and that participants will ‘get into the game’.

Beyond the initial situation that will be described to participants, the exercise must be enriched with numerous stimuli that will make it possible to speed up or slow down the exercise, intensify the pressure, or even cause participants to doubt the decisions made and the directions to be taken. These stimuli may include telephone calls, emails, press clippings, tweets, etc. While the narrative is of paramount importance to the credibility of the exercise, its pace is just as crucial. For tabletop exercises in particular, participants must be projected into the future and play out events in real time and fictional time simultaneously.

Similarly, exercises generally focus on the initial phase of crisis management. For some companies that are already well-established, it may be useful to consider how to manage the ‘day after’ or the crucial stage of emerging from the crisis.

Real-time simulations are also possible. Generally conducted for organisations experienced in crisis management, they often require the involvement of external stakeholders (fire and rescue services, regional development agencies, law enforcement, etc.) and enable large-scale systems and the coordination of numerous stakeholders to be tested. Examples include the exercises conducted by Aéroports de Paris and Cyberfenua, which simulates a full-scale cyber crisis in French Polynesia to test its resilience and coordination with mainland France, complicated by distance and time difference. Organisations that wish to do so can also implement boot camp-style training courses, conducted in collaboration with former government officials or military personnel, for example, to test the resilience of the group and collegial decision-making in situations of intense stress.

In conclusion, it is important to bear in mind that a crisis exercise is neither a game nor a social event, but a full-scale test of the organisation’s resilience and the cohesion of its teams when faced with uncertainty. Managing so-called crisis events cannot be improvised, and the responsiveness required in today’s world necessitates appropriate preparation.

Article from Global Security Magazine.

[1] The spread of true and false news online, Soroush Vosoughi, Deb Roy, Sinan Aral, Science 09 Mar 2018, Vol. 359, Issue 6380, pp. 1146-1151 DOI:

10.1126/science.aap955