My work with the Royal Marines concludes that it’s irrational to expect people to perform effectively in a crisis if you’ve never trained them on their roles, responsibilities, and resources. Wise CSOs borrow a technique from the army and pre-emptively employ guided practice sessions to prepare their staff, superiors, and stakeholders on who does what, when, and why.
One of the most crucial tasks that every CSO/CISO has to accomplish is to train and qualify key stakeholders on critical skills like Security Incident Response. Specifically, the head of security has a vested interest in pre-emptively ensuring that all of the influential people who will be needed during a real-world security crisis have already practised their respective parts before an actual ‘cyber emergency’ happens.
Take the public relations team, for example. While the security engineers are neck-deep trying to sort a massive DDOS attack or ransomware outbreak, the PR team will be under tremendous pressure to share information with regulators, customers, suppliers, and possibly the general public. They need to know what they can (and mustn’t!) say about what happened, what’s being done to sort it, and when the crisis will be resolved. Many of the security people who know the most about the incident will be consumed with the response. When should the PR team interrupt? What sort of content can they expect to get? Will there be time for editing and fact-checking? Or a legal review prior to publication? How often can they expect updates? Now, consider the other key stakeholders: Legal, Finance, Procurement, Facilities, Human Resources, and Customer Service have unique roles to play and distinct information demands. They all need to know how and when they’ll get informed so that they can perform their own tasks. Then there’s the company leadership element: you don’t dare forget to let the owners, executives, or Board of Directors know what’s happening! This is why real-world security incident response operations often get messy. If a crisis happens and the key players haven’t practised their respective roles before, confusion sets in quickly. Well-meaning mistakes get made. Tempers can flare as good people get frustrated, confused, and misdirected. Trust fractures. Organisational cohesion frays (with potentially long-term consequences). This is the nightmare scenario that governance models, auditors, and experts all warn companies about. Be prepared … or else.
The military knows this all too well. Long before the Prussian military scientist, Carl von Clausewitz described the ‘fog of war,’ soldiers understood how unit command and control would falter in the inevitable confusion that manifests when two opposing forces clash. That’s why military commanders go to great lengths to explain their battle plans to their subordinate leaders before a clash commences. Once the fight is joined, it becomes every leader’s duty to adapt and improvise based on local conditions to accomplish the overall objective. When leaders understand another leader’s role and intent, they’re far more likely to perform effectively in a crisis situation.
By Ben Laker