Cyber crisis management: the importance of training

What is a cyber-crisis?

“A difficult exercise, an easy war.” Just like the French Foreign Legion’s adage, an organization must train to best face a cyber crisis.

A crisis is an abnormal situation that disrupts the normal functioning of an organization and can even endanger it. It requires adapted reactions from the decision-makers to return to a nominal situation under the best conditions. Even though the crisis exceeds the organization’s capacities and requires exceptional measures, either internally or by calling on third parties, it is often the consequence of one or several facts – foreseeable or not – exogenous or endogenous.

To react in the best possible way, preparation, anticipation, forecasting, awareness, and training are essential elements that allow an adapted, coherent and efficient management in unstable situations. This requires the drafting of crisis management and business continuity policies, investment in human and material resources, and training in crisis management.

The crisis exercise, whether it is done “on the table” or “in the field” [1], announced or unannounced, allows for a transversal response to several elements of crisis management preparation, depending on the organization’s objectives and its level of maturity.

The crisis exercise must be considered a means of validating systems and policies, as an educational tool, and as a strategic lever for more efficient crisis management.

Simulation of a crisis is a very effective technique resulting from the methods of active andragogy, specifically adapted to the adult public, which will be able to acquire more easily the automatisms and to be confronted with the difficulties of the crisis management, but comfortably, since without consequences.

It is a matter of acquiring experience without having to wait for the company to be confronted with a real crisis. In this way, in unusual situations, causing the opening of crisis units, members who have already been trained and faced with stress will be able to better appropriate the guidelines put in place, understand the specificity of human interactions between the members of the crisis unit, which often differ from daily life during stressful situations.

To manage a crisis, you need to have the knowledge, know-how, and interpersonal skills. Knowing the procedures well, identifying the members of the crisis unit, the resources available, and the prerogatives of the various parties are the key to success. Training, through crisis exercises, allows one to reach an even higher level of mastery.

If issues arise from a crisis exercise, strategic directions can be developed.

The crisis exercise and the conclusions drawn from this exercise (feedback or debriefing) are powerful levers for raising awareness and proposing action plans or even investments in risk management, business continuity, security, and safety within crisis management framework in a company or organization.

Therefore, the management can be informed of the conclusions of the exercise and the related recommendations by the entity that implemented the exercise (whether it is a consulting firm or the department in charge of crisis management and business continuity within the company).

In addition, training plans can be proposed and implemented to facilitate the development of employees’ skills who must intervene in a crisis. Managing a crisis is not innate and does not rely solely on experience but also on theoretical fundamentals and knowledge acquired through an initial learning phase.

Finally, the user does not stop there. The crisis exercise can be helpful or even strategic (sometimes even mandatory) depending on the field, to prove the organization’s resilience capacities.