Dans le monde numérique d'aujourd'hui, les cyberincidents ne sont pas seulement des problèmes informatiques, ce sont de véritables crises commerciales. Bien que de nombreuses organisations aient mis en place des plans de réponse aux incidents, ces plans s'effondrent souvent sous la pression d'un événement réel. Dans ce webinaire, Courtney Guss (directrice de la gestion de crise, Semperis) explique pourquoi les approches traditionnelles de la gestion de crise sont insuffisantes et ce qu'il faut faire pour développer une véritable résilience cybernétique et opérationnelle.
Rejoignez-nous pour une conversation franche sur le passage d'une réponse réactive à une résilience proactive - et sur la manière dont les principales organisations transforment leurs stratégies de réponse avant que la prochaine crise n'éclate.
Vous apprendrez :
- Pourquoi la résilience doit-elle être votre étoile polaire et que faut-il faire pour y parvenir ?
- Les domaines dans lesquels les stratégies de gestion des crises cybernétiques et leur exécution échouent généralement
- Comment les grandes organisations reprennent le contrôle grâce à des modèles de réponse simplifiés et orchestrés
- Comment l'automatisation et l'évolution des mentalités transforment les résultats des crises dans tous les secteurs d'activité
Welcome, everyone. The event is now live. John, please take it away. Thanks, Allison. Hi, everyone. Welcome to today’s live Tech Talk From Chaos to Control: Rethinking Cybersecurity Management. This event was organized by the hardworking folks at Redmond Magazine, and it’s sponsored by Semperis, a leader in AI powered identity security and cyber resilience for hybrid environments. I’m John K. Waters, Editor in Chief of the GaborSpace three sixty group of eleven o five media, and I’m joined today by our cybersecurity expert, Courtney Guss. Hi, Courtney. Hi, John. Courtney has more than twenty years of experience in the, cybersecurity crisis response and business resilience. She has led cyber crisis management initiatives for a wide range of organizations, including global enterprises, government agencies, and Fortune 500 companies. As crisis management director at Semperis, she manages the Ready1 cyber resilience and crisis management platform. We are really lucky to have her today, and I’m really looking forward to this conversation. But I have to do just a little bit of housekeeping. I wanna let everybody know that this Tech Talk is being recorded for later access. Keep an eye out for an email with a link to that recording. It’ll be coming your way in the next few days. Our sponsors provided some extra resources you won’t wanna miss. You should see them now on your console. And at the end of this conversation, we’ll have a five to ten minute q and a. Please type your questions into the q and a box as they occur to you. We’ll do our very best to get to all of them. Now just a little little more, you know, context setting here. Many organizations have instant response plans in place, but those plans often collapse under the pressure of a real world event. When a single incident can escalate into a full blown crisis, your true strength lies in how swiftly and intelligently your organization can adapt, recover, and lead in the face of chaos. In this tech talk, we’ll be considering why traditional approaches to crisis management so often fail, fall short and, what it takes to build true cyber and operational resilience. Now let’s get started. So we were having we were talking before and that leads me I want my first question to be, a couple of definitions. So can you explain the difference between incident response and true operational resilience? Absolutely. Yeah. And I think this is a great place to start, because it’s often a bit confusing in what we do in the cybersecurity space. But I really think of incident response as being that tactical, technical response to some kind of an incident within the organization. You’re really managing some kind of a disruption, could be widespread across the business. It could be fairly contained, but you’re really thinking about that immediate containment investigation recovery effort. But then when I think about resilience, I’m thinking about how does the broader business respond to that incident or that incident response? What are we doing to maintain business operations while we recover? And I believe that resilience is what customers and shareholders are looking for, what regulators are wanting to see. They wanna see that you’re keeping the lights on and the doors open while you work through that recovery and response effort. You can no longer just kind of shut things down and say, we’ll be back back online in a couple of days. They’re really wanting to see that resilience during the actual incident response itself. So why should resilience and not just recovery be, you know, sort of considered a North Star, for organizations? You really wanna think about how do I keep those business operations running and functioning and remain operational during the recovery? And then you can almost reverse engineer what that tactical response should look like in order to maintain that resiliency. So it really shifts the way you think about how you respond and recover. Maybe you look at prioritizing different restoration activities a little bit different. Maybe you think about prioritizing recovery in a way that maintains business operations. It could even be how you prioritize communications during that recovery process as well. So if you’re thinking about resiliency as that North Star, my utopia, the goal that I’m shooting for, I think it makes it a little bit easier to figure out then what matters to me as I’m making decisions through a recovery process. Because, you know, when this stuff happens, it’s chaos internally. There’s a lot of people trying to understand what their roles and responsibilities are and what they should be doing. And if everybody’s working toward that same end goal, then they can make really smart educated decisions as to how to get there. Okay. So in practical terms, what does a resilient organization look like? Oh, I think we’re all trying to get there. Right? I think in practical terms, it’s, you know, organization that’s working toward having clearly defined playbooks with roles and responsibilities defined. They could be looking at cross functional response teams as well. It’s really important to start to look outside of just our cyber and IT teams when we respond to incidents like this and think about how the business needs to be involved in these response and recovery efforts. And then, really, how do we maintain trust both internally and externally as we work through the recovery? And I think, in practical terms, most businesses are somewhere across the spectrum in these different areas. People have parts of playbooks or some roles and responsibilities defined. They may have a handful of cross functional teams, but maybe not for every different type of scenario. So I think, you know, everybody’s working toward that goal, and I think over time, the goal would be that you’ve kind of got that that whole program built out and you have the ability to practice as well. I see. So, what what would you say is the biggest misconception organizations have about, their incident response plans? Well, outside of just saying we think we’re ready, I think, it’s a lot of the plans that we build become a bit of shelfware. Right? So they become a document that we have internally. Maybe we update it once a year for audit or compliance purposes, but it’s not something that becomes a cultural or behavioral change in the way that we kind of operate internally. And we’re also not updating these playbooks to a you know, account for changes in the business or changes in our internal or external footprint. And so we think we’re ready, but when the time comes, oftentimes, these playbooks no longer align with the way we operate. They’re no longer practical or useful to your point earlier. So, and I also think we don’t do a great job involving other business units or other cross functional teams. So we wanna make sure that they’re not only involved with the planning and preparation, but the practice as well because when the time comes, they’re gonna be tasked with some kind of decision point during a crisis. And, unfortunately, oftentimes, they’re just they’re not prepared. So why do traditional, crisis management approaches, as I said in the intro, tend to fail under the real world pressure? Well, there’s a lot of of external things coming in during an incident or a crisis. Right? So now all of a sudden, you might be in the media or the news. There could be external stakeholders calling. Yeah. Customers who are upset. All of these things happening. So you have all this pressure coming in. And then you have the internal business units and teams who obviously are also making demands. Demands. They want systems back up and running. They need certain things to be restored. And so you’ve got all of these competing priorities. And I think oftentimes our playbooks assume ideal conditions where you don’t have that kind of chaos or competing priorities. And so now you have people stepping into roles where they’re having to make fast decisions with limited information that could be really impactful for both internal and external stakeholders, and all of that pressure comes together and things kind of the wheels kinda fall off per se. So, you know, how can we make sure that people are not only able to make smart decisions, but they practice enough where they understand business operations well enough to know that this decision aligns with our critical processes or this decision aligns with what we need to be doing to reach that resiliency. That way, even if we haven’t practiced that specific issue before, we at least know we’re kind of making decisions that align with our goals. So what are some early warning signs that a response plan might collapse in the face of a, major event? Well, some of the first ones you know, a lot of people will pull freeform playbooks and things off of the Internet or other resources and try to leverage what’s already out there just to help them get a foot you know, foothold in this space. And oftentimes, what we find is they just don’t align with how your business operates or our business operates. So I think the big thing is making sure that the steps we’re asking people to take are practical, and they align with the way we work and that the roles in there align with the roles we have within our organization. So because if I ask you to make a decision based on, you know, a specific application or a business process and we don’t even have that within our business, well, now you’re trying to figure out what I’m asking for. So Yeah. Grabbing a financial services playbook when I work in manufacturing just doesn’t always work all that well. So I think, signs that that those playbooks don’t align to the business is probably the first place. And then the other piece is practicing, but not practicing or running tabletops with the right teams, not involving enough external stakeholders, not or involving too many external stakeholders, and you kinda get that analysis paralysis. Makes sense. So how can teams diagnose whether their current playbooks are, truly effective or just performative? I think, you know, running through them, not being able to run frequent tabletops, getting in there and running lots of different scenarios. I prefer to fail at a tabletop, personally. I want us to identify the stuff that’s missing and the gaps, the people that are in the wrong place at the wrong time, and really use those as discussion points to say, does this decision point even make sense for us? You know? It could be that it we’re struggling through a tabletop exercise because the decision points don’t align with the way we operate, and those are really good discussions to have before the bad thing happens. So I think that’s that’s obviously a good place to start. It’s just making sure we have those people in there and we’re getting the right feedback, and then we’re iterating. I think that’s the other key piece that we often miss is go back and make the adjustments, make the changes to the playbook, write new playbooks, whatever you need to do, so that way it’s useful when you need to use it. Okay. So what are let me put it this way. Are there specific resilience metrics or benchmarks, that you recommend, teams track? Oh, that’s a good question. You know, I think it really depends on the business and the industry that you’re in. What’s important to my business might be very different than what’s important to yours. So and I also believe there’s a lot of industry requirements around what resiliency means and what what resiliency prioritization should look like. You know, if you’re in an industry like financial services, for instance, where you’ve got people who need to be able to access their accounts and information, then, obviously, resiliency is going to look very different in terms of getting those systems operational and supporting those customers or transactions versus a healthcare situation where you’re really managing health and human safety, completely different focus area. So, I think understanding what resilience means or what matters to me from a resilience perspective is the most important place to start. And then what to your point, what are the metrics that I need to align to that, whether it’s specific systems or maintaining operations? If it’s healthcare, am I getting documents to the right people for patient care? Am I keeping the pharmacy up and running? We spoke to a healthcare firm a couple of weeks ago, and they happen to run critical care services for, like, blood work and the phlebotomy side of the hospital for four other hospitals. So when they’re prioritizing operations for resilience, that is a critical care center for them. And so, obviously, that would look very different than than another organization. Okay. So how should leadership think about resilience from a business continuity perspective versus the cybersecurity point of view? I think they have to account for both. You know, oftentimes, we see a bit of friction between the cybersecurity response and recovery efforts and the business response and recovery efforts. And I think it’s an opportunity for leadership to step in and say, as a group, as a whole, these are our priorities. These are our focus areas, and I wanna align everybody on these priorities. So that way when we’re responding and recovering either from a technical side of point of view or from the business point of view, we’re all in alignment because we don’t wanna have that friction at the time of an actual severe incident or a crisis. And we also want that leadership team to feel empowered to make external statements or communications to stakeholders. We wanna make sure that we’re communicating with our business partners. And so that alignment, I believe, really needs to be top down. That way everyone’s prioritizing in the same way. Have you seen a lot of friction like that in your experience? Personally, yes. So one of my first roles in cybersecurity within a security operation center, and, you know, oftentimes, we want to shut down systems or shut down applications to try to contain whatever’s happening. We may need to take certain parts of the network offline or certain assets offline, and all of these things impact the business. And, obviously, those application owners or systems owners, that’s the most important part of their day. So really understanding who wins in those cases or not wins, but but kind of who takes priority True. Can become a friction point or even adding additional security. You know? If there’s the passwords are too complex, they change too frequently, multifactor authentication slows down how I log in to my system. Right? How do we make security an enabler in what we do and not a hindrance to the business, but also re how do we help the business understand that there are sometimes the things we have to do on the security side to keep the business secure, and kinda pull everybody together. Makes sense. Okay. So how are simplified, orchestrated response models helping organizations regain control during crises? You know, what we’re seeing are organizations in the past focus predominantly on that protect and detect side of the house. Anything we could to try to stop the bad thing from happening. And then when we realize that that’s becoming increasingly more difficult, it’s more of a matter of when rather than, you know, kind of if. We’ve seen a shift to incident response, which is, again, that immediate technical response to what we do. And, actually, I’ll just change the slide here, to that incident response. And incidents are really those disruptions in the business. But when it moves into a crisis and you start to manage additional business stakeholders, that’s really where you’re starting to throw lots of additional resources at it. Maybe you’re even pulling any external supporting resources to help manage the crisis, and it can start to get very, very expensive. And you have to think that there’s the worry that you’re gonna over respond or under respond, and we have a tendency to over respond. Bringing in any resource we can possibly get our hands on, we’re paying extra money for third party resources, we’re having our teams on the line working extended hours to solve the issue. And we can really reduce that over response by creating some kind of an orchestration plan. How do we assign tasks to people so that they’re not spending hours waiting around for something to do? They know exactly what their focus area is. How do we create secure communication channels so that way people clearly understand their roles and responsibilities and the expectations, or even just to get an update on where we are at with the situation? How do we identify the right playbooks to use in these situations so that we can start getting all of this moving? The more we have those plans in place, the more we can reduce that resource spend, the burn, and just that running around kind of chicken scenario where everyone’s looking to somebody else to solve. You know, we’ve we’ve got that plan in place. Now it’s just a matter of executing, and it really does change the way we respond and recover. So, speaking of all this, what is the role of automation, in all of this? I’m thinking that it must enable smarter, faster crisis response. Do I have that right? Yes. Absolutely. I think anything we can do to automate some of the crisis response process is is really where we start to shift how the industry handles this. You know, traditionally, crisis management or crisis response in the cyberspace is predominantly, a manual process. It’s a people driven process. We’ve got static playbooks that then need to be turned into tasks that people carry out or decision points that are made throughout that crisis management process. And all of that today is done via manual task assignment, meaning I call you, and I need you to go do something and then report back to me in kind of a manual fashion. What we’d love to see is automation across the board. So playbooks are automatically deployed in a sense once we see that critical assets are impacted. And then from there, those playbooks create tasks, individual tasks to users based on pre identified roles and responsibilities. And then now people I now receive a notification, and I know exactly what it is you need me to do at any given time, what the due date is, when the due date is, and what documentation you need from me. And now I’m able to provide that documentation back to you in a digital format. And all of that orchestration can be automated in a way that really helps us respond and recover much quicker, helps you manage resources or identify gaps quickly. And it also helps us pull together all of that required documentation and logging, which is now required by regulators all in a much more streamlined fashion. And I think that’s really the game changer in what we do in crisis management. So automation is a game changer, and, and and essential for sure. But, how can it be implemented, without creating blind spots or overdependence? Well, I think it’s still gonna require that kind of people oversight because we’re not gonna be able to have a playbook for every type of scenario. We’re not gonna be able to have, prebuilt tasks for every single nuance or decision point that’s going to come up during a crisis. So there’s always gonna be that critical thinking that you’re gonna have to apply to every situation to say, our playbook kind of manages eighty percent of the situation we have to solve for, but the other twenty percent is going to be a checks and balances to make sure that we’re getting the right information back from people. We’re not having to add any additional tasks to things that we hadn’t previously planned for, or maybe there’s an impact that we hadn’t previously anticipated that we need to adjust for. And I think those adjustments are going to be what keep us from becoming too dependent on automation because it’s gonna require some sort of kind of manual intervention to ensure we’re on the right track. Okay. So what are some examples of, successful orchestration in high pressure multi team scenarios? You know, I think it’s going to be organizations that were able to maintain operations while they were still telling the public they were in the middle of a cyber attack, or it could be a ransomware attack. It could have been some other cyber outage. It could even be some of the, IT issues that we’ve had over the last couple of years where they weren’t even actually caused by any kind of cyber attack, but IT misconfiguration issues and things like that. The businesses that were able to maintain operations and, continue to move through those situations without shutting things down are gonna be the ones that you know in the back had a business continuity plan in place. They had the right people executing on communications. They were able to respond and recover much quicker, so they were back up and running before maybe some of their peers were. And those are gonna be the organizations that you, are seeing or are well prepared and kind of planning for those situations. And that’s another thing too is I think as you mature across the space, oftentimes, organizations will start their planning process on the cyber side of the house because we’re really good at response and recovery in cyber security. Unfortunately, we get a lot of practice. But the maturity is the maturity is when you kinda move out of that into other types of crisis situations, whether it’s IT failures, whether it’s physical crisis, natural disasters, etcetera. Okay. That makes me think what what, mindset changes, I guess, I could say are critical for modern crisis leadership? I think really, you know, not being afraid to assign people roles and responsibilities throughout the process and shifting away from the idea that the CISO or the CEO are going to be making every single decision during a crisis are probably some of the biggest shifts. Also the idea that we don’t need to practice. We we we gotta stop just assuming that one tabletop a year makes us prepared for situations like this because what we learn time and time again are there are people that step forward in a crisis situation and people that naturally fall back because that’s not a comfort zone for them, and we don’t wanna find that out during a real crisis. So more frequent tabletops, even in smaller group scenario, practicing becomes really, really important. And, again, that’s a big culture shift within an organization because it requires investment, time, and buy in. And I think really from there, also not assuming it’s not gonna happen to us is another big kind of mental shift. Yeah. Nobody likes a fire drill. Do you have do you have is this a hard sell? Right. No. More often. Right. No. Yeah. No. It’s really interesting. If you’ve spoken to an organization that’s been through a situation like this, the first thing they’ll start to tell you is all the things that went wrong because it’s just permanently ingrained in their mind. So they’ll tell you exactly what they needed to practice for the next one. Okay. So how can teams move from a reactive, firefighting culture, to a more proactive one? I think it’s really that preparedness piece that becomes so critical. So, you know, you really have to think left of boom. Right? What do you do before the bad thing happens? And that’s the again, those playbooks, really understanding what our operations look like internally, spending a little bit of time understanding what those critical business operations are and prioritizing those. Getting that information ahead of time is super important because you don’t wanna have that argument around prioritization in the middle of a recovery. Right. You know, and then really from there, clear roles and responsibilities. And, I mean, not just for business operations, but some of those key decision points. Do we pay ransomware or not? If we do, who gets to make that call, and what kind of information do they need to make an intelligent decision? Prioritization of operations that are maybe outside of our predefined list. Where does that go? If we need to bring in external, resources to help us support this ongoing recovery effort, who makes those decisions? Some of those procurement decisions become a major sticking point at the time of a crisis, and you just don’t have the extra time for it, unfortunately. And I think from there, it’s the practicing. That preparedness piece becomes a really, really important part of effective crisis management. Okay. This is my, what happens if everybody freaks out question. What’s the role of psychological safety and communication during a cyber or operational crisis? That’s a great question. People will freak out. I think by having a clear plan, it makes it much easier to communicate with the team, build trust, and reassure people that we have this under control and we’re moving in the right direction. And I think that really helps to manage those individuals who don’t handle these types of high pressure, high adrenaline situations well. They wanna know. They wanna feel comfortable that we’re going to be able to solve for this, that we’ve got a plan in place, and that we’re all moving in the right direction. And that goes for external stakeholders as well. Right? They want that same reassurance and that same trust. So by having communication plans ready, by understanding what kind of information they need to feel assured reassured, is really, really important. And then I think just keeping those lines of communication open so that people feel comfortable asking questions also really helps to support people in those high stress situations. Again, the tabletop exercises are helpful because if you find someone that really struggles in a situation like this, they don’t handle this kind of situation well, then it’s probably not someone you need as one of your key critical, responders. Right? Let let’s put them in a role where they’re supporting efforts. They’re providing additional services internally, but maybe we’re not putting high stress decisions on them if it’s not totally necessary. Find those weak links. Right? Right. And sometimes it’s your senior leadership. You may even have somebody on your senior leadership team who doesn’t handle this kind of crisis response well. Better to know now than have them get out in front of somebody on, you know, somebody on, you know, a major news channel and having to speak for the company. Oh, yeah. You so that leads, perfectly into my next question. What are some, common cultural roadblocks to building resilience, and how can they be addressed? I think, breaking down silos is probably one of the biggest ones. You know, bringing business teams into the cybersecurity space or bringing the cyber and IT teams out into the business, is oftentimes a cultural barrier within an organization and I think can create some challenges. But the more you break those down ahead of time, and shift that mindset that we’re here to support each other in these efforts can really help to shift the that those kind of behavior changes or cultural barriers within the organization. I also think it’s important to remind people that everyone is part of the solution. Mhmm. So, you know, as a team, we’re in this together. That means running the business day to day, but that also means managing a crisis in the event that something happens. So really making sure everybody feels like they’re part of the solution and that they’re important and we need them there, I think, is another great way to kinda shift that mindset. Okay. You’ve been at this a long time. Long time. Could you share a story where an organization transformed its crisis strategy before disaster struck? Yeah. I was very fortunate. I actually worked, with a manufacturer. I was with another security company at the time, and we were doing some risk management analysis or kind of risk assessments within the organization. And we learned that, you know, their critical business operations had to do with sensitive IP. They happen to manufacture a very sensitive product in the defense sector, and, a lot of countries purchase this product as part of their defense strategy. And that IP was mission critical for them, but what we found during that risk assessment process was that it wasn’t well secured. Mhmm. You know, they had kind of a legacy systems, legacy hardware. They had a very small flat team within the organization, so lots of people wore lots of hats. And what we found was that if something were to happen, somebody were to get in and access that IP or cause disruptions within their system, some kind of a cyber attack, they weren’t prepared for it. Not only did they not realize that they were so exposed, but at the same time, one person wore all of the crisis response hats for the entire organization Oh, man. At that moment. Yeah. But because they didn’t have a plan. Yeah. So we were so fortunate we caught it ahead of time. We were able to identify additional external resources they could call in in the event of an incident. So they were able to pre identify who their support staff would be. We were able to run through some playbooks at a high level that really just focused on these critical business processes and this IP information, and then we were able to clearly identify the external stakeholders they would have to contact in the event of an incident. So we really put together a playbook, a phone tree, and a resource support set up for them. So that way, in the event something happened, it was far more orchestrated than it would have been otherwise, where one person would have just been making all of these decisions on the fly. So fingers crossed. I don’t think they’ve ever had to use it, but I know they felt a lot better about the situation. Once stake for some organizations. I mean Mhmm. You know, life and death sometimes. Absolutely. Yeah. And they told us they said if that information got out, it could be business ending or detrimental to a defense sector. So it was it was important. Well, speaking of which, how do industry industry specific pressures like healthcare, energy, finance affect crisis preparedness? I think that the industry specific, kind of setup is really what drives how these organizations respond and recover. It also drives a tremendous amount of pressure around not only managing the regulatory requirements and compliance requirements, but also the consumer or stakeholder requirements as well. So those crisis management plans should really be focused on that industry end goal in mind. Right? So if it’s healthcare, health and human safety and patient care is kind of our North Star in that case. Right? And so everything we do should be driven toward that being our goal, making sure people are taken care of, our patients are taken care of, and and we’re running in that regard. There’s also a lot of regulatory requirements around that too. So for healthcare organizations, especially, they’re balancing helping their patients and managing regulatory requirements at the same time as maintaining hospital operations and making sure that they’re staying afloat financially too. So and I think that goes for other industries as well. I think airlines are another one that face tremendous pressure from consumers. We don’t like it when we get stuck at an airport. Regulators don’t like it when I get stuck at an airport either. Right. So, you know, it’s one of those industries where they’re just kind of getting it from all sides all the time. The more orchestrated they are, the clearer they communicate. Obviously, the quicker they can rebound and reduce that kind of impact to reputation and brand. Okay. So if an organization wanted to start tomorrow, what’s the first step they should take toward a more resilient, crisis strategy? I think the first step is kind of assess current state. Right? So where are we today as far as what do we have in place? Do we have anything in place? And then once I kind of have an idea of what I’m at current statewide, I’d wanna shift forward and decide what does good look like to me. Maybe good isn’t where I wanna be in ten or twenty years, but what does good look like now to me? Mhmm. And then we can kind of develop a road map to get there. So if current state tells me that I don’t have any playbooks in place or the playbooks I have are very outdated or I don’t have any roles and responsibilities to find, then that would be where I would kinda start and kinda build the road map from there. So I think it’s important to be super honest with myself or the organization as to where we are today. And then outside of that current state assessment, really work with business leaders internally to understand what matters to us. What’s critical? What does that prioritization look like? Because my road map doesn’t really matter unless it aligns with those business priorities. So once I understand current state and I’m super honest about that, let’s decide what good looks like, and let’s decide what priorities we wanna focus on. And then let really let those be our guide to fill in the missing pieces. Makes sense. So that’s all my questions. Let’s, get to some questions from attendees. Remember, guys, you can type your questions into the Q and A box at any time. We’ll do our very best to get to all of them. This first one is from Al, who’s wondering, we got, a standard, incident response plan from a consultant. Why should we change that plan? Well, you don’t yeah. You don’t necessarily have to change the plan. What I would do is really continue to review that plan and iterate on it to make sure that it continues to align with our actual business operations. You know, a lot of those playbooks, are I don’t wanna say a rinse and repeat, but are often reused from organization to organization because it’s the eighty twenty rule, right, in what we do. Eighty percent of that playbook is probably really applicable to your business. There’s probably twenty percent of it, Nuance, that’s really important that we iterate on and and update so that it really aligns with our internal business processes. So what I would say is don’t throw it away. Use it as a framework or a guide rail or guard rail to make sure that it you know, you can update that and change it so that it aligns better with the way you operate. Okay. This one’s from Perry who says, Courtney, we run response plan audits, with our IT and cybersecurity teams. How can we get stakeholders from outside those teams to move, to be more involved? I would say the biggest thing is there there’s kind of a language barrier between what we do in the IT and cybersecurity side in the business. So if we’re looking at, an incident response plan or a a crisis management plan that’s really focused on IT or cyber, we wanna make sure that we explain to the business how this impacts the business operation. So I don’t wanna say that if this system goes down because of a cyber attacker, this is what, you know, we we need to do to respond and recover. I wanna go to the business unit and say, if your critical application goes down, your business operations will be disrupted in this way, and this is why it matters and why, you know, they’ll immediately care. You don’t have to explain that part. So I think, to get those teams involved, I think we have to help them understand how this impacts them, and then they can decide how you know, why they care, what they need to do to help support you in that way, and what they need from you in terms of a response and recovery. And I think sometimes they don’t understand why the system, you know, recovery matters to the business and and vice versa. Okay. This one’s from Sunny, and it’s kind of in the same vein. Where do you see organizations struggle during a crisis? I think it’s that clear delineation of of roles and responsibilities. Mhmm. You know, you walk in and you say, okay. Who’s doing what? Or what do we need to do next? And it’s like, oh, wait. Well, I’m not really sure. We’re just gonna give everything to this person, and they’re gonna make all the decisions. And it’s like, no. This could be much easier. Right? Yeah. So I think that’s one of the easiest place to start is is pick a decision and then assign a human to it. And that really helps things move move along much quicker. Pick a decision and assign a human to it. That’s great. Mhmm. Okay. Don’t need to overcomplicate it. This one’s from Ali who’s wondering what’s the difference between an incident and a crisis, and why does it matter? Well, I guess I didn’t even change the slide. We’ve had it up here the whole time. But an incident is really something that, is a disruption to business operations or business assets, but it doesn’t necessarily threaten the business or the organization as a whole. So not necessarily going to have a significant brand or reputational impact. Hopefully, isn’t going to, you know, impact too many external stakeholders. Incidents can be small in nature. They can be large in nature. It really depends. We have different severity levels. But oftentimes, they’re managed and resolved contained on the IT cyber side. When you move into a crisis, this is something that’s really starting to expand outside of just that kind of IT cyber containment space. It could threaten business operations in a way that could impact external brand and reputation. It could impact external stakeholders. If we don’t solve it quickly enough, it could actually be organization ending. So, you know, widespread cyberattacks that shut down the entire organization or entire systems, cyberattacks that start to spread out to our third party stakeholders where we’re actually impacting other businesses. Those are when you really get into, kind of that crisis space. Or with the SEC regulations, it could be something that has a material impact. So Mhmm. Really depends on the industry. But and it’s important to, really depends on the industry, but and it’s important to to delineate between an event and an incident and a crisis because, again, you don’t wanna over respond or under respond. If you throw a full blown crisis management team at an incident, an everyday incident that could be managed by your IR team, you’re over responding, and you’re overcomplicating something that probably doesn’t need that many resources on it. Vice versa, if you have a full blown crisis and you don’t have the right resources and business leaders in there to make smart business decisions, you’re under responding to the crisis, and you could be delaying that crisis management, that crisis response process. So it is important to have, business triggers or event thresholds where you escalate something up or down, between these these definitions. Makes sense. Okay. Looks like we’ve got one more. Okay. And, Courtney, what are, ways organizations can change the way they approach crisis management? I think, outside of the preparedness piece, I think it’s really just understanding what matters to the business and letting that be your guide. I think that’s probably one of the biggest steps we see. And we’ve talked about that a few times today, but we see that overlooked quite a bit is that prioritization piece. If you’ve got some of those just basic fundamental pieces of information together, it could really change the way that you manage a crisis. So even if you’re a small organization, just knowing what matters to you and letting that be your guide as to how you recover or respond, at least gives you those guardrails that you need. Okay. I I guess I have one more question for you. If you had to summarize, you know, your message here today, for this tech tech talk, in a few words, what would you what would you say to attendees? I would say that crisis management is really only as good as your preparedness strategy. So, you know, making sure that you’ve got those supporting documentation in place, making sure you have the right people in place. All of that’s gonna be mission critical when the crisis actually happens because then that way, your response and recovery program just kicks in that much quicker. And what we know from statistics and what we see in the current space today from crisis management is the faster you respond and recover, the less financial impact the business faces, the less impact your external stakeholders face as well. So it is I think you and I were talking offline, but every minute matters, and you don’t have time to waste. You know, it really does, and so it’s really important. So it’s it’s not just how you respond technically, but it’s it’s really how you stay in the game while you’re responding, and that’s really what matters to businesses. And I would just say that having that information prepared and ready to go will really change the way you respond and recover. Okay, folks. That’s all the time we have for this Tech Talk. I wanna thank Courtney Guss for the fascinating, actually, conversation, one that kinda makes me a little nervous. And many thanks to the folks at, Semperis for making this conversation possible. Great talking to you, Courtney, and thanks everyone for, joining us. Have a great day. Thanks, John. Appreciate it.
