Cyber-crisis management: the importance of training
Cyber-crises are stressful and tiring. To be fully prepared, real-life conditions exercises are a great option.
What is a cyber-crisis?
A crisis is an abnormal situation that disrupts the normal functioning of an organization and can even endanger it. It requires adapted reactions from the decision-makers to return to a nominal situation under the best conditions. Even though the crisis exceeds the organization’s capacities and requires exceptional measures, either internally or by calling on third parties, it is often the consequence of one or several facts – foreseeable or not – exogenous or endogenous.
To react in the best possible way, preparation, anticipation, forecasting, awareness, and training are essential elements that allow an adapted, coherent and efficient management in unstable situations. This requires the drafting of crisis management and business continuity policies, investment in human and material resources, and training in crisis management.
The crisis exercise, whether it is done “on the table” or “in the field”, announced or unannounced, allows for a transversal response to several elements of crisis management preparation, depending on the organization’s objectives and its level of maturity.
The crisis exercise must be considered a means of validating systems and policies, as an educational tool, and as a strategic lever for more efficient crisis management.
Crisis management policies
Implementing for the first time a crisis management policy or reviewing a crisis management system must provoke the automatism of testing and validating it operationally.
Indeed, in theory, the design and writing of crisis management and business continuity policies may seem complete and operational. This may undoubtedly be the case. However, will the crisis management actors succeed in understanding and appropriating them when the time comes in the event of a real crisis? Only a real-life situation – as realistic as possible – will allow for highlighting possible mistakes. Those can be corrected in later versions of the crisis management policies. The famous Deming wheel, with the “PDCA” (Plan / Do / Check / Act) from the ISO standard, then comes into play for a virtuous continuous improvement.
Verifying and validating the crisis management systems is undoubtedly an asset that allows for the best possible management of a potential future crisis. Thanks to the crisis exercise, it also allows taking advantage of this opportunity to raise awareness and train employees in crisis management.
The crisis exercise as a training tool
Simulation of a crisis is a very effective technique resulting from the methods of active andragogy, specifically adapted to the adult public, which will be able to acquire more easily the automatisms and to be confronted with the difficulties of the crisis management, but comfortably, since without consequences.
It is a matter of acquiring experience without having to wait for the company to be confronted with a real crisis. In this way, in unusual situations, causing the opening of crisis units, members who have already been trained and faced with stress will be able to better appropriate the guidelines put in place, understand the specificity of human interactions between the members of the crisis unit, which often differ from daily life during stressful situations.
To manage a crisis, you need to have the knowledge, know-how, and interpersonal skills. Knowing the procedures well, identifying the members of the crisis unit, the resources available, and the prerogatives of the various parties are the key to success. Training, through crisis exercises, allows one to reach an even higher level of mastery.
If issues arise from a crisis exercise, strategic directions can be developed.
Exercise as a strategic lever
The crisis exercise and the conclusions drawn from this exercise (feedback or debriefing) are powerful levers for raising awareness and proposing action plans or even investments in risk management, business continuity, security, and safety within crisis management framework in a company or organization.
Therefore, the management can be informed of the conclusions of the exercise and the related recommendations by the entity that implemented the exercise (whether it is a consulting firm or the department in charge of crisis management and business continuity within the company).
In addition, training plans can be proposed and implemented to facilitate the development of employees’ skills who must intervene in a crisis. Managing a crisis is not innate and does not rely solely on experience but also on theoretical fundamentals and knowledge acquired through an initial learning phase.
Finally, the user does not stop there. The crisis exercise can be helpful or even strategic (sometimes even mandatory) depending on the field, to prove the organization’s resilience capacities.
In conclusion, crisis management exercises bring real added value to organizations and must be an integral part of crisis preparedness strategies. The exercises are adapted to the organizations, the objectives are predefined, and the scenario in place is coherent and adapted to the company’s context.
This will allow the “players” to project themselves, to learn as well as possible, but also, to the people in charge of security, safety, business continuity, and crisis management, as well as to the decision-makers, to be able to react and to take measures thanks to the feedback session and to the recommendations which will be resulting from it.