Crisis Team Academy: opening lecture on learning why traditional crisis management techniques simply don't work with cyber incidents

Why company cluture is undermining our ability to appreciate risk and so prepare for or cope with the cyber threat:

We have a problem with the way that almost ALL organisations operate (this is covered in series of guest blogs that we were invited to do for Commvault. The first one in the series was: 9 Tips For CXOs Post COVID19 – Data, Risk And Digital Transformation). In the second blog in the series we go onto explain:
The way that almost all departments in almost all organisations are managed and incentivised is based on revenue and profit. These are return on investment (ROI) measures. As long as this is the way that individuals are incentivised and organisations are managed, there will be little or no effective risk appreciation. About the only senior manager focused not on ROI, but instead on return on risk (ROR), is the CISO, but as long as he is at odds with the rest of the management team the CISO is at risk of not only finding that he is isolated (what I term CISOlation), but that he is also scapegoated when things go wrong – even if his warnings were ignored. It is as if the senior management team are watching a TV where only two of the three colour feeds are working (revenue and profit). They can see roughly what is happening across the business, but they don’t get the full picture. When major risks do appear, often out of the blue, they are visible to the CISO, but not to the others and if his warnings are ignored then this can lead to calamity.

We have seen this time and again – with credit risk in the global financial crisis and the health hazard during the pandemic, each time there were warnings but they were ignored because organisations had a focus on ROI and not ROR. The difference this time is that the cyber risk is not only visible and evidently growing, but organisations also still have time to address it.

AND it is not just a threat, it is also an opportunity. As we explain in the first Commvault blog:
Few however realize that flexibility and risk awareness can together be a powerful source of competitive advantage. Dominant players tend to use their scale to sustain market leadership, but during major disruption events, if they lack the risk awareness to be crisis prepared and the flexibility to respond effectively, then they can fall rapidly from grace. Such events are a real opportunity for flexible, risk-aware organizations not only to capture market share, but even also to capture entire markets. They are well positioned to thrive while those around them flounder.

Key Learning Points


Key points covered in the opening two part lecture which was originally given at the Virtual PR Summit by Bill Mew on “Why Traditional Crisis Management Techniques don’t work with Cyber Incidents”, as follows:

MYTH 1: We aren’t the ones that hackers are going to target. We are too small / too unknown / too secure(delete as applicable).
REALITY 1: With far more remote working than you planned for, you’re more vulnerable than ever. All organizations of all sizes are potential targets. It’s probably not a matter of ‘if’ you’ll get hit, but‘when’. And since the average breach takes more than six months to detect, it may well already have happened.

MYTH 2: We’ve got cyber insurance sowe’re covered.
REALITY 2: Cyber insurance policies often include a host of provisions and exclusions that in effect make it impossible to claim for almost any incident of any kind. If they want to refuse to pay out, they’re probably going to find a way of justifying this and in some recent incidents they have already refused to pay.

MYTH 3: We’ve got a crisis management plan and a team that can deal with anything.
REALITY 3: Tech teams often attempt a DIY fix before calling for help. By then it’s often a little too late (the impact and exposure have magnified significantly) and they call in the wrong people (not having time to accurately select the right experts).If they then follow the textbook approach or fail to get the right specialist support, they’re just going to make things worse, because traditional crisis management techniques simply don’t work with a cyber incident.

Virtual PR Summit: "Why Traditional Crisis Management Techniques don't work with Cyber Incidents" by Bill Mew

Watch part one below:
Watch part two below:
Conact us for details of further Crisis Team Academy training modules.