In many organizations, cyber crisis management is naturally entrusted to the CISO. After all, they are the cybersecurity expert. Often, they are also the ones who initiated business continuity plans from an IT perspective.
This situation therefore seems logical. However, one question deserves to be asked: Is a cyber crisis really a crisis for the CISO?
The cyber crisis: a crisis like any other
Despite its technical origin, a cyber crisis very quickly transcends the IT framework.
Ransomware, data breaches, or information system outages cause far more than just technical problems. They can have significant consequences:
Regarding operations and professions: The unavailability of applications, data, or production tools can lead to a degradation, or even a complete shutdown, of certain activities. Business processes may be slowed down or have to be performed in a degraded mode, with potential impacts on service quality, deadlines, or the organization's ability to fulfill its missions.
Regarding the relationship with clients or users: Service interruptions, inability to access certain services, or the compromise of personal data can affect the trust of customers, users, or partners. Teams in contact with these stakeholders must also manage complaints, information requests, and any concerns raised by the incident.
Regarding internal and external communication: A cyber crisis requires rapid and consistent communication, not only with employees but also with customers, partners, authorities, and the media. Inappropriate or contradictory communication can worsen the situation and fuel rumors, misunderstandings, or a loss of trust.
Regarding regulatory and legal obligations: Certain situations may give rise to notification obligations to the competent authorities, the individuals concerned, or contractual partners. Legal liabilities may also arise, particularly in the event of a data breach, failure to comply with regulatory obligations, or disputes with third parties.
Regarding the organization's image and reputation: Beyond the incident itself, the way it is managed can have lasting consequences on the perception of the organization. A poorly managed crisis can affect its credibility, attractiveness, and the trust placed in it by its customers, users, partners, and employees.
Regarding financial and strategic aspects: The costs associated with incident management, remediation, business interruption losses, and potential penalties can be significant. A cyber crisis can also jeopardize projects, disrupt development strategies, or alter organizational priorities for several months.
In other words, the cyber crisis is not an IT crisis; it is a global crisis.
The same functions as in any other crisis situation must be mobilized: general management, operations, communications, legal, human resources, finance, and even external partners. The cyber component is ultimately just one of many aspects to address.
It is also interesting to note that most major recent crises, whether linked to cyberattacks or not, follow the same management principles: understanding the situation, arbitrating, communicating, coordinating and deciding under time constraints and pressure.
The CISO: an indispensable expert, but not necessarily a crisis coordinator
The CISO obviously plays a central role in incident response. Their expertise is essential for classifying the attack, informing anticipation efforts, and contributing their knowledge of the cybercriminal environment.
However, being an expert in a field does not automatically mean being a crisis manager.
A discipline in its own right
Don't play multiple roles
Crisis management requires specific skills:
- coordination of multiple actors; ;
- decision-making in uncertainty; ;
- crisis management; ;
- stakeholder management; ;
- communication under stress; ;
- strategic trade-offs.
We will elaborate on these points in a future article.
However, not all CISOs have been trained or introduced to these practices. Their background is primarily that of technical experts or information security managers.
In a major crisis situation, the CISO is already under considerable pressure.
He must:
- manage the IT security teams; ;
- follow the investigations; ;
- to engage in dialogue with service providers and experts; ;
- assess the impacts on the information system; ;
- propose recovery scenarios.
Asking him, in parallel, to coordinate the entire crisis amounts to imposing a dual role on him that is difficult to maintain.
The risk of a vision too focused on cyber
By nature, the CISO approaches events through the lens of digital security.
However, crisis trade-offs are rarely purely technical. They involve considerations such as:
- operational; ;
- financial; ;
- humans; ;
- regulatory; ;
- reputational.
The best decision from an IT perspective is not always the best decision for the organization as a whole.
The role of the crisis coordinator is precisely to take a step back and seek a balance between these different issues.
Towards a more mature governance of crisis management
If crisis management should not rely solely on the CISO, how should it be organized?
To create a function dedicated to continuity and crisis management
The most mature organizations generally distinguish between:
- risk management; ;
- cybersecurity; ;
- business continuity; ;
- crisis management.
This approach provides a cross-functional capability to coordinate all stakeholders in the event of a major incident, regardless of its origin.
The CISO then becomes what he should be: a leading expert within the crisis cell, and not its sole conductor.
Obtaining a strong commitment from management
Crisis management is first and foremost a matter of governance.
Without support from senior management, it is difficult:
- to establish a genuine crisis culture; ;
- to involve the trades; ;
- to perform regular exercises; ;
- to clearly define everyone's responsibilities.
Conversely, when management takes ownership of the issue, the cyber crisis ceases to be perceived as an "IT" problem and becomes a strategic issue for the organization.
Conclusion: Getting out of the "CISO crisis"«
Systematically entrusting cyber crisis management to the CISO often reflects a certain historical maturity: cybersecurity was the entry point, and the CISO naturally became the main driver of the issue.
But as organizations mature, this approach shows its limitations.
Because ultimately, a cyber crisis is not just a crisis for the CISO. It's a crisis for the entire organization.
The CISO must play a major role, but as an expert and advisor, within a broader crisis governance framework, led by management and integrating all relevant functions.
In short, perhaps we should stop asking who should manage the cyber crisis and start to consider that a cyber crisis is first and foremost a crisis, before it is cyber.
Is your organization prepared to manage a cyber crisis, beyond its purely technical aspects?
The CERT Intrinsec teams are qualified Security incident response providers (TAKEN) They support you in structuring your crisis governance: defining roles, setting up a crisis unit, simulation exercises and continuity plans.
