• Jeffrey Crump

Cyber Crisis Leadership: Decision-Making



Punching Above Your Weight Class

In the boxing world, punching above your weight class refers to fighting an opponent larger than yourself. Much like in a boxing ring, going toe-to-toe against unknown, unpredictable and ever-changing conditions common during a cyber crisis requires making good decisions quickly. Slow decisions, often as a result of analysis paralysis, can increase damage to the organization and result in a crushing right hook to your professional reputation.


Pre-Fight Routine

Former unified light-welterweight world champion, Amir Iqbal Khan, said “I typically give myself 12 weeks for a pre-fight training camp,” “it’s only by doing a lot of drills that your form comes naturally. So, I will do explosive reaction sessions to prepare.”


A Cyber Crisis Management Plan (CCMP) is foundational for technology and business/functional crisis leaders to effectively prepare for the inevitable major cyber incident. The CCMP is the basis for the cyber crisis response team’s mental muscle memory response to a crisis and for it to come naturally requires use as part of regular cyber crisis training.


The goals of a cyber crisis response are protecting personal safety, minimizing damage impact, and facilitating the expeditious return to business-as-usual. However, an effective cyber crisis leader must break these larger goals down into smaller, more immediate tactical goals.


Regular tabletop and full immersion exercises help cyber crisis leaders practice developing these SMART goals. Smart goals should be specific, measurable, achievable, results-focused, and time-bound. When a crisis leader makes decisions based on smart goals, the decisions will not only be better, they will come easier and faster.


Jab, Cross, Left Hook

In the ring, a boxer must make split-second decisions as well as consider how these decisions play into the overall match goal, victory. Cyber crisis leaders must remain in the moment while striking a balance between quick decision making and making impulsive decisions; there’s a difference.


The cyber crisis response team, comprised of its functional incident response teams and working groups, have a responsibility to ensure decision-makers at all levels have information available to facilitate the best decision making possible. Quick strategic decisions based on knowledge are far less risky than impulsive ones tainted by cognitive biases (e.g. confirmation bias, bandwagon bias, self-serving bias, etc.)


A cyber crisis leader with situational awareness is in a much better position to land the knock-out blow but gaining this overall situational awareness requires leaders to occasionally act as an observer. As a leader, when you step back and take in a broader perspective it allows you to analyze the overall response to determine if it’s in synch with your strategic goals. By maintaining this perspective you’ll make more logical decisions.


Post-Fight Ringside Analysis

Research confirmed that expert athletes develop specific cognitive skills to solve complex sports problem situations so it is expected cyber crisis leaders can do the same to meet the unique challenges of a major cyber incident. According to Ripoll et al, these skills are developed using a common methodology of combining: “(i) a high level of event complexity replicating the natural task demand, (ii) a high level of response complexity, by using multiple types of stimulus response associations, and (iii) a high level of stress, by limiting allowed response time or by using a continuous flow of information.”


Summary

Cyber Crisis Response, a service of Cyber Security Training and Consulting LLC is poised as a thought leader in the field of cyber crisis management. Our book, Cyber Crisis Management Planning: How to reduce cyber risk and increase organizational resilience provides a prescriptive, step-by-step approach to developing a CCMP. Our research-backed innovative and unique services are designed to help organizations and its leaders prepare for a major cyber incident.


1. Hubert Ripoll, Yves Kerlirzin, Jean-François Stein, Bruno Reine. Analysis of information processing, decision making, and visual strategies in complex problem solving sport situations. Human Movement Science, Elsevier, 1995, 14 (3), pp.325-349. ff10.1016/0167-9457(95)00019-Off. ffhal-01816088f

Free download of our images for your use.

Please use the following image credit.

Source: Crump, Jeffrey. "Image title." Cyber Crisis Management Planning: How to reduce cyber risk and increase organizational resilience. 2019.