Preparing for the Worst: Essential IT Crisis Preparation Steps

Are you feeling lucky? If your IT organization hasn’t yet prepared itself for a crisis, that’s about the only thing you can hope for.

Alan Brill, senior managing director in the cyber risk practice at risk consulting firm Kroll, believes that the biggest crisis issue facing IT leaders is assuming that bad things will never happen to their organizations. “There has to be an understanding ... that things can change very rapidly,” he says. Today’s enterprises are highly interconnected. “You rely on supply chain partners, outsourced providers of ... services, and software that can suddenly become a huge security risk,” Brill warns.

Brill reiterates that the biggest risk in crisis preparation is failing to believe that your organization can ultimately become a victim. “Without that acceptance, that you really are a target, planning becomes a nuisance instead of a key element of how your organization operates.”

A Holistic Approach

While technology plays an important role in crisis response, it’s only one part of a comprehensive strategy, says Sean O’Brien, cybersecurity lecturer and Yale Law School Fellow. “Effective crisis preparation requires a holistic approach that takes into account the needs of all stakeholders, including employees, customers, and the broader community,” he states.

Doug Glair, director of cybersecurity at technology research and advisory firm ISG, says he still sees enterprises that lack any type of comprehensive crisis management structure. Meanwhile, other organizations have a plan, yet may only practice it once every few years, despite the fact that circumstances can change rapidly. “Technologies change, people change, business processes change, and an old plan can be as dangerous -- if not worse -- than no plan at all,” he warns.

First Steps

Crisis preparation begins with planning -- outlining the steps that must be taken in the event of a crisis, as well as procedures for data backup and recovery, network security, communication with stakeholders, and employee safety, says O’Brien, who founded the founded the Yale Law School Privacy Lab. “Every organization should conduct regular drills and simulations to test the effectiveness of their plan,” he adds.

Every enterprise should appoint an overall crisis management coordinator, an individual responsible for ensuring that there’s a coordinated, updated, and rehearsed crisis management plan, Glair advises. He also recommends creating a crisis management chain of authority that’s ready to jump into action as soon as a crisis event occurs. The crisis management coordinator may report directly to any of several enterprise departments, including risk management, legal, operations, or even the CIO or CFO. “The reporting location is not as important as the authority the coordinator is granted to prepare and manage the crisis management strategy,” he says.

 Glair also suggests that each enterprise technology unit, such as operations, project management, and systems infrastructure, have their own crisis management coordinators who will liaise with the chief coordinator. These individuals would be responsible for ensuring their departments have their own defined and regularly tested plans.

Regardless of who’s in charge, O’Brien believes there should be unique plans designed for covering various types of potential crises. “A volcanic eruption or a hurricane will certainly require a different response than a cyberattack,” he explains. “Organizations can’t plan for every scenario, but plans should be tailored to specific crisis scenarios as much as possible, and should outline the steps that need to be taken to address the situation.”

When creating specific crisis response plans, O’Brien suggests using tools, such as surveys and focus groups, to develop relevant actionable strategies. “In addition to the cross-functional team, other stakeholders who should be involved in crisis planning include customers, suppliers, and regulators,” he says. “Engaging with these groups early on can help ensure that everyone is on the same page and that the organization is well-positioned to respond to any crisis.”

Ensuring Vigilance

Every crisis plan requires continuous maintenance. A neglected plan, one that falls out of date by failing to address new and evolving threats -- as well as changes within the organization itself -- is ultimately worthless. Brill recalls a time when he was handed a very professional-looking crisis plan. Everything looked great until, after closer examination, he discovered that more than half of the people listed on the plan’s crisis committee were no longer with the company. “In many cases, their replacements didn’t know they were on the committee or what to do if a crisis arose,” he says.

Last Thought

Crisis management is complex and can be scary for people in the moment, Glair observes. “Depending on the crisis, an organization may be asking people to support the business when loved ones are also in danger, so understanding the human impact of the crisis is critical,” he explains. When team members must deal with a crisis for an extended length of time, they will be tired and prone to making mistakes. “It’s important to build-in resiliency in the plans and coverage to allow for this,” Glair advises.

What to Read Next:

How to Survive a Crisis with AI-Driven Operations

Crisis Learnings Can Fuel Technology Leaders’ Innovation Strategies

Keeping an IT Team Focused in Challenging Times