Crisis Management: An insider interview with Cybersecurity Expert

Crisis Management is an important topic for many of our clients. In order to share our insights on the topic, Krishn Sharma interviewed Crisis Management expert Mike Emberson to find out his views on the latest trends and challenges and his expert advice on how to build effective crisis management strategies.

I started at Wavestone around a year and a half ago, however for the past decade, my professional focus has been in Crisis Management. It all began with running live exercises aimed at countering terrorism with the police. From there, I transitioned to the private sector, where I led extensive internal exercises for a consultancy firm. Before Wavestone, I joined the NHS during the pandemic, and my involvement during the major incident response for a large London trust was nothing short of intense. Each day felt like a crisis and navigating through those challenges was a true test of my Crisis Management skills. I then transitioned to cyber security crisis management as it the pandemic came to an end, crisis management within cyber offers an exciting opportunity within an ever-growing field.

Crisis management has evolved significantly over the years, with a primary focus on terrorism in its early stages. As the threat of terrorism began to subside, there was a shift towards business continuity. Many of the evacuation procedures and methods for restarting operations post-incident could be applied to scenarios involving fires, power outages, and natural disasters. In recent years, however, there has been a growing emphasis on cyber threats which brings us to where we are today. Despite this trend, clients have recently been requesting non-cyber exercises, suggesting a potential shift in focus or a fusion of exercises for both operational resilience and cyber security. The prominence of cyber threats has prompted clients to increase their preparedness, which, in turn, has led to a greater emphasis on operation-based exercises as the next focus point.

To conduct a successful crisis management exercise, you need to have a clear idea of what you want to achieve. This means testing not only people’s response to a crisis but also the tools they use. By doing this, you can find out where people might need more training and identify any gaps in your plan. A good exercise will always provide you with valuable insights and recommendations, and there’s no such thing as failing, only learning opportunities. The goal is to be prepared and committed to continuous training, planning, and improvement.

In my experience, I’ve noticed that the public sector tends to be more proactive than the private sector when it comes to non-cyber crisis management exercises. However, things are changing, and the gap is slowly closing. The public sector was initially driven by The Civil Contingencies Act (2004), which made it mandatory for them to embed crisis management and business continuity within their operations. Recently, we’ve seen the private sector catching up, with regulators like the Financial Conduct Authority in the UK, pushing for greater operational resilience. Since then, we have seen an increase in operational resilience requirements for financial services which naturally leads to an increased desire to run crisis management exercises, and it’s likely this trend will continue with the introduction of DORA.

This is all about creating a strong crisis management culture within an organisation. It is critical and can be achieved by providing comprehensive training to all employees, regardless of their role. While it’s important to have crisis management teams in place, it’s equally important to ensure that every employee is aware of cyber security risks and knows how to respond accordingly. By embedding crisis management practices across an organisation, the chances of spotting an incident early on increases significantly. Awareness is key, and swift action if spotted early can prevent a developing crisis.

At my previous job a fire broke out in the kitchenette of our new office, we responded well and thankfully no one was hurt which can be attributed to our business continuity training. Following the incident, we developed a building management tool that provided a snapshot of every building in the estate and their activities. This improved coordination between teams and further bolstered business continuity. When another fire occurred in a different building, we were able to use the tool and respond more effectively.

Impacts in the market can lead organisations to neglect crisis management as they feel it is nice to have rather than a necessity, as such it is often seen as an effective cost cutting tool during such times. Following this logic if market dips, organisations are less likely to be ready to respond to an incident as their knowledge and preparedness decays overtime without adequate replenishment. Although this posture is changing with new regulation promoting the importance of crisis management it is an ongoing issue.

I stay up to date by listening to podcasts, news briefs, reading journals and attending conferences in my free time. It has really helped build a greater understanding of the threats that exist as well as how best to respond to them.