CISO Interview: Covid-19 has changed our approach to crisis management

The Covid-19 outbreak and its immediate consequences have forced a new normal upon everyday life in a very short period of time. Meanwhile, CISOs across the globe have had to initiate emergency plans in real time. and the constant state of high alert has given organisations a steep learning curve.

“We have become much more aware of how to keep the wheels turning under all possible circumstances, which we had never even dreamed of,” says Søren Damgaard, in our latest interview.

But what has a two-month long state of high alert meant for organisations’ approach to crisis management? And what learning points can they take away from the situation and apply in the future?

We have, once again, asked some of Denmark’s leading CISOs for reflections on crisis management, contingency planning and future priorities, in a series of interviews.

”You have a plan until the first encounter with the enemy”

Denmark, where the interviewed CISOs are based, is beginning to re-open, but the interviewees’ organisations are still in a, albeit milder, state of emergency:

”We are still in a state of emergency, but at a lower state of alert than earlier, which has changed quite a bit since the first weeks of the Danish lockdown, as far as daily meetings and the level of planning are concerned,” says Martin Kofoed, VP, Cyber Defence at JN Data.

The situation has given rise to re-thinking existing crisis management plans for all of the interviewees’ organisations, who have adjusted their approach to crisis management as a result:

”A military strategist once said: ”You have a plan until the first encounter with the enemy”. That’s a statement that is very fitting to a situation like this one. You have a crisis management plan, which outlines some principles, but you don’t know if it will work until you have tested it out in real life,” says Martin Kofoed, and continues:

”As a whole, our crisis management plans for a pandemic have become much more detailed and nuanced than they were prior to the Covid-19 outbreak, because we have now tested them in a real situation. This has allowed us to build up knowledge and experience, which can be transferred directly into practical contingency plans, giving us a detailed and tested crisis management plan”.

Changes in the philosophy of crisis management

For some companies, the Covid-19 crisis has completely altered the approach to crisis management, as a result of putting their contingency plans to the test in the unexpected scenario that is a global pandemic.

The increased awareness has, among other things, resulted in an adjustment of priorities for Nykredit, who now include a wider part of the organisation in their crisis management planning:

”Nykredit was well-prepared for a crisis at the time of the outbreak. However, it has taught us that we should not focus solely on IT-related incidents in our crisis management planning and think broader, and include ‘unlikely’ events such as pandemics and natural disasters,” says Simon Thyregod, CISO at Nykredit, and continues:

”I believe that, in the near future, our crisis management team will include staff from a broader range of business functions”.

For SImcorp, the Covid-19 crisis has tipped the scales as far as crisis management is concerned:

“We have moved away from scenario-based crisis management planning, which was already a trend in our organisation long before this crisis, in the wake of other events, such as Hurricane Sandy (2012) and Euromaidan in Kiev (2014). We had acknowledged that crisis management plans must be able to handle unforeseen situations and should not rely on specific, predictable scenarios and action plans,” says Karsten B. Klausen, CISO at Simcorp.

Instead, Simcorp are focusing on having the right mix of experts in their crisis management team and being flexible in adding the right staff to the team, should the need to involve colleagues with different expertise areas arise. This also includes having the right structure in place, as far as role distribution and decision-making is concerned:

”Crisis management planning is about structure, coordination and communication, and having access to the right employees that are needed in that particular situation, so that you are able to handle a wide range of tasks in any type of crisis,” adds Karsten B. Klausen.

The holistic crisis management plan

FortConsult’s Regional Team Lead for Risk Management & Governance, Rune Fog Hansen, agrees that crisis management plans based on narrow scenarios are becoming obsolete:

“First and foremost, your crisis management plans need to protect your business processes in their entirety. The IT support for the processes should be a part of your crisis management, but not dominate it, as that would leave you vulnerable,” says Rune Fog Hansen and continues:

”Crisis management plans must be designed to enable processes and systems to absorb impact without breaking down. You cannot achieve this by focusing solely on protecting them from specific scenarios that your company considers likely”.

So, crisis management plans must be holistic and focus on making processes and systems more resilient, rather than trying to predict, and plan for, specific scenarios. The best way to achieve this is to consider security and crisis management as early as possible:

"As with any kind of development, it’s cheaper and more efficient to consider security and crisis management already in the design phase, rather than letting it be an afterthought – before you encounter a scenario that has not been taken into account. This way, you’ll already be a step ahead when the incident occurs,” says Rune Fog Hansen.