This article was published in Cyber Security: A Peer-Reviewed Journal Vol. 8, 2 160–168 (2024)
Abstract
This paper examines whether specific leadership competencies are relevant
in a cyber crisis and what it takes to manage one effectively. Our increasing dependence
on technology exposes us to risks and makes us more vulnerable to digital crises.
Cyberattacks are more common and can affect even well-prepared companies. Leadership
during a crisis can influence an organisation’s success or failure, no matter how primed
and savvy its people are. The author compares crisis management to crisis leadership and
emphasises the shift in crisis management responsibility from an operational response to
prevention and the ability to steer through uncertainty. This change requires crisis-specific
leadership skills and a broader recognition of organisational risk. The author highlights
research by Wooten and James, which notes leadership competencies applicable to
different phases of a crisis. Not all leaders can demonstrate all these attributes in every
crisis and are often ill-prepared when a crisis hits; however, leaders can learn, develop and
practise the competencies needed to survive and triumph over a crisis. Tools that can help
develop these skills include stakeholder mapping and a protocol that evaluates and trains
leaders in hard (knowledge-based) and soft (behaviour-based) skills. The author refers
to the Salviotti et al (2023) study, which analysed the Norsk Hydro ransomware case,
noting that leadership competencies identified in traditional crisis management also apply
in a cyber crisis. Given the certainty of a cyber threat, the author recommends a stronger
emphasis on developing crisis leadership competencies. Training should complement
other activities and programmes to prepare employees to handle crises adeptly.
INTRODUCTION
Being prepared for a cyber crisis has become even more pressing. Our increasing dependence on technology exposes us to risks and makes us more vulnerable to such crises. Digital technologies have transformed the way we live, work and play, disrupting how we connect, learn, govern, shop, deliver healthcare and generally experience life. Supply chains, technology, and travel are interlinked with the global economy and society. Inflation, financial insecurity, climate change and ongoing advances in technology are bringing about threats such as artificial intelligence (AI)-enabled disinformation, ransomware, malware, and data leaks, making us even more susceptible to crisis.
NAVIGATING THE RISING TIDE OF CYBER THREATS
Tech-driven risks are among the most severe risks we can expect to face over the decade, according to the World Economic Forum’s (WEF) latest Global Risks Report. Misinformation and disinformation, and cyber insecurity are among the top ten risks in both the short and long term, with the adverse outcomes of AI technologies rapidly rising to be a severe risk concern over the next decade. Advances in technology mean that the volume, reach and efficacy of falsified information have increased and become more difficult to track, attribute and control. New technologies and capabilities will expand and open new markets for criminal networks, with cybercrime offering an increasingly low-risk and low-cost revenue stream for organised crime.
Cybercrime and cyber insecurity are growing concerns among business leaders in developing regions, ranking among the top ten risks in the short term in markets already struggling with high levels of criminality. The rise of technology-enabled illicit activities in these new markets and geographies exposes businesses to cybersecurity risks, reputational threats and regulatory scrutiny relating to financial flows and supply chains, potentially affecting the long-term viability and success of legitimate markets.
As information technology becomes more integrated into operations technology, cyberattacks are getting more sophisticated, exposing businesses, governments, and individuals to greater risks that can have untold consequences. The European Union Agency for Cybersecurity (ENISA) identifies ransomware, malware, social engineering (including a broad range of activities that seek to exploit human error or behaviour with the aim of gaining access to information or services, eg. impersonation, extortion), threats against data, threats against availability/denial of service (DoS), threats against availability/Internet threats, information manipulation and interference and supply chain attacks among the main cybersecurity threats in the latest ENISA Threat Landscape (ETL) report. ENISA reports that hacktivism has expanded since the Russia-Ukraine war, highlighting the growing impact of geopolitics on cybersecurity. It also notes the emergence of new groups and the surge of ransomware incidents seen in the first half of 2023, which show no signs of slowing down.
Cyberattacks are not always motivated by financial gains. Political, social or ideological causes can also motivate such attacks, driven by the need to publicise an organisation’s misdeeds or to promote a political agenda or social change. Organisations, websites, or systems are targeted, creating havoc, causing disruption or calling attention to a belief. Anonymous, the most well-known hacktivist group, shut down government websites using distributed denial of service (DDoS) attacks in support of the Arab Spring movement in 2010. The same year, Anonymous also orchestrated DDoS attacks on payment services of suppliers, including Visa, Mastercard, Amazon and PayPal, after they stopped accepting financial donations to political whistleblower WikiLeaks. These companies suspended payments amid pressure from the US Government, which had accused WikiLeaks of declassifying and leaking confidential information. At the time, Anonymous’s actions supported WikiLeaks and its quest to provide information they believed the public had the right to know and that was otherwise being kept secret by industry and governments. Environmental hacktivists have targeted mining and oil companies, police and several Latin American regulatory agencies in an effort to expose unethical or deceitful behaviour. Hacktivism threats are expected to continue to accelerate in 2024.
FACING THE INEVITABLE REALITY OF A CYBERATTACK
Cyberattacks are increasingly common and can affect even well-prepared companies. No matter how primed an organisation is and how savvy its people are, it needs strong leadership during a crisis if it’s going to make it somewhat safely to the other side. A leader who can manage a crisis effectively has the skills to navigate uncertainty, take decisive actions under pressure, and communicate with empathy. In today’s climate, it takes more to manage and face a crisis than solely responding with a game plan when it happens.
While preparing emergency backups, delegating cross-functional crisis management teams, conducting simulation training exercises, and establishing communication protocol and other response steps remain essential, it is also necessary to act to prevent or minimise the fallout from a crisis. Many crises are not wholly unexpected, and increasingly, corporate leadership is taking a more proactive role in crisis planning and issue management as part of a crisis prevention effort. The latest annual crisis report by the Institute for Crisis Management (ICM) said that in 2022, 57 per cent of crises tracked were smouldering (defined by ICM as events that start as minor internal problems within a company, become public at some point, and, over time, escalate due to inattention by management). The upshot is that if risk and issue management are performed diligently and professionally, 57 per cent can be detected and mitigated before they get out of control.
CRISIS MANAGEMENT VERSUS CRISIS LEADERSHIP
Crisis management involves preparing to face any crisis and minimise impact, including defending the organisation’s reputation. It also involves learning from past events to help anticipate and increase resilience to similar future situations. It is designed to help a company or team gear up for a crisis by anticipating risks, exploring possible scenarios and response plans, and developing likely questions (especially thornier ones) and answers.
Being ready to react requires quick attention and action, possibly using up or diverting resources away from other important tasks in an organisation. Yet inherent to crises is a great deal of uncertainty that can prevail and cannot be controlled but can be navigated. Here lies the need for crisis leadership at the most senior level of organisations and this must occur before, during and after a crisis.
Issue and crisis management expert Tony Jaques notes that middle managers and technicians have been typically responsible for crisis management. As a result, their skill sets were geared to the operational response rather than taking steps to prevent a crisis from happening in the first place. An update to this approach saw responsibility shift to executives, bringing a need for new leadership skills and a broader recognition of organisational risk. Known as crisis proofing, it focuses on the role of executives and the practical steps they can take to identify and manage threats before a crisis occurs. Their functions also include managing the period after the crisis and protecting their company’s reputation at a time when its risk exposure is at its highest. In this way, crisis management is a more strategic activity that focuses on identifying and managing threats before they happen and taking steps to prevent them.
THE DOs AND DONT'S OF HOW TO REACT TO A CYBER CRISIS
James and Wooten note that firms which thrive after a crisis show leadership throughout the process compared to those that don’t. They argue that a poorly handled crisis poses a more significant threat to an organisation than the crisis itself. Cyber crises are part of the ‘third party hostile action’ category of crises that include hijackings, hostage taking, extortion, product tampering and sabotage, all of which have an even greater degree of uncertainty since the perpetration of the situation is by third party (internal or external) actors and entirely dependent on a ‘successful’ resolution with them. Furthermore, these crises typically always involve the authorities and often specialist negotiators, implying even less control, making crisis leadership imperative for navigating a situation where the stakes are high in a context of heightened uncertainty.
One of the most cited cases of effective handling of a cyber crisis is Norsk Hydro, a leading aluminium and renewable energy company. On 19th March, 2019, a ransomware attack affected its global operations, deactivating 22,000 computers across 170 sites in 40 countries. It resulted in the shutdown of the corporate network and disrupted the automated control system of the manufacturing plant. Norsk Hydro chose to be transparent about what was happening during and after the widespread attack that paralysed production plants and some of its communication services. The company's communication strategy, guided by open and regular communication, was vital to its effective crisis management. This strategy included posting a public crisis communication page on its website the day after the attack and regularly updating it, demonstrating the power of transparency in crisis communication.
Contrast this response with the one from Optus, Australia’s second-largest telecommunications operator, when they were subject to a cyberattack between 17th-20th September, 2022, potentially compromising the personal information of millions. Optus ran a carefully written and legally vetted full-page newspaper apology on the chief executive officer's (CEO) behalf. The apology was published days after the cyber security breach and reported as suggesting ‘desperation and a lack of imagination rather than sincerity’, and unfavourably compared to corporate apologies, which won universal praise made by other top executives who spoke personally on camera in the heat of a crisis. Jaques points out that while a CEO doesn’t have to be a strong communicator, they should be a leader. “Effective crisis management is about leadership, and a paid apology advertisement is no substitute.”
LEADERSHIP COMPETENCIES IN CRISIS MANAGEMENT
What skills does it take to be a good crisis leader in a cyber crisis? With the increase in the spread and severity of cybercrimes globally, it’s useful to understand what crisis leadership skills are more effective in helping organisations navigate and lessen the negative impact of a cyber crisis.
Organisational culture and human factors are often among the most influential elements in helping a company minimise the fallout from a crisis. The literature indicates that leadership, coordinated teams and motivated employees contribute significantly to averting and controlling a crisis. The literature indicates that leadership, coordinated teams and motivated employees contribute significantly to averting and controlling a crisis. The association between leadership and crisis is widely covered in crisis management literature. Leaders play a vital role during a crisis, including maintaining effective communication, building, enhancing productivity or protecting brand value. They need to create and sustain the organisation’s credibility and trust among all crisis stakeholders, maintain business continuity and protect and sustain the organisation’s reputation, brand and value in the marketplace.
Certain leadership qualities have an impact on the effectiveness of crisis management efforts, namely strategic thinking, communication, empowerment, trust and integrity. Other research notes that in a crisis, leadership is collective and dynamic, requiring discerning skills to determine appropriate courses of action. In such a scenario, crisis leadership competencies can be expected to include decision-making, communication, creating organisational capabilities, sustaining an effective organisational culture, managing multiple constituencies, and developing human capital.
Learnings from past cyberattacks can help companies prepare and respond more effectively to potential threats. A study based on data from VisibleRisk (a joint venture between Moody’s and Team8) suggests that organisations which react poorly to an attack, eg. slow to respond, bungle the investigation, cover up information, repeatedly change their story, accumulate losses that are 2.8 times higher than those of firms that did not display signs of a poor response. In contrast, companies that quickly take responsibility for a cyberattack and act accordingly can limit the fallout on stakeholder trust and in some instances even turn the crisis into an opportunity. This was evident with Norsk Hydro, where their actions and credible communications helped to reassure their stakeholders, allowing them to emerge stronger from the crisis. Norsk Hydro stands out for commendable stakeholder outreach, its considerable efforts to manage stakeholder engagement throughout the crisis and its commitment to be transparent from the start.
Organisations can adopt advanced stakeholder mapping to manage engagement during a cyber crisis and communicate transparently and honestly with all stakeholders. This allows organisations and their leadership to have an overview of the environment in which they are operating and identify stakeholders affected by the unfolding situation so they can engage with them as appropriate and yield results. Perceptions of the situation will vary between stakeholders, as will their information needs and expectations from the organisation in crisis. Failure to promptly disclose and communicate the effect of an incident to stakeholders can result in a communication void, which undermines stakeholder confidence and ultimately causes a reputation meltdown.
Research by Hepfer et al (2022) found that a company’s ability to effectively handle a cyberattack depends on leadership across the organisation, acquiring practical crisis experience beforehand, and on consistent communication practices. To understand what it takes to build a company’s cyber resilience, Hepfer et al conducted in-depth interviews with C-suite executives whose companies had previously endured serious cyberattacks. They also collected observational data from prime cybersecurity training centres that help executives prepare for crises through simulation exercises. Leaders who guide their companies through cyberattacks recognise that a successful response is a collective responsibility and organisational leadership, and not only the function of the IT or communications teams.
LEADERSHIP COMPETENCIES FOR EACH CRISIS PHASE
In an analysis of business crisis data over seven years (2000-06), Wooten and James identified different leadership competencies needed to manage the five phases of a business crisis generally accepted by crisis management researchers. These qualities were determinants of organisational success in a crisis. ‘Sense making’ and ‘perspective taking’ were identified as essential leadership competencies at the signal detection stage, where leaders would need to anticipate the possibility of a crisis.
The prevention and preparation stage is where leaders should seek to avert crises and prepare if the crisis occurs. The competencies that apply here are the ability to be persuasive and influential in setting or changing the strategic direction (issue selling), highlighting behaviours used by middle management and employees to direct senior management’s attention to important issues that might otherwise not be in the spotlight. Additionally, organisational agility and creativity (in terms of new or useful ideas, products, services, processes, or procedures) are key in the prevention and preparation phase.
During the containment phase, the core leadership competencies are decision making under pressure, communicating effectively and risk-taking, which are required to prevent the crisis from expanding to other parts of the organisation or beyond. At the business recovery stage, promoting organisational resilience and acting with integrity were vital, as leaders must implement short and long-term plans to resume operations. A leader’s ability to adopt a learning orientation and use their experience or the experiences of others to develop new routines and behaviours that change the way the organisation operates is crucial in the learning and reflection phase of the crisis. (see Table 1)
Crisis phase | Competencies |
Signal detection | Sense making, perspective taking |
Preparation/prevention | Issue selling, creativity, organisational agility |
Containment/damage control | Effective communication, making decisions, taking risks |
Business recovery | Acting with integrity, promoting organisational resilience |
Learning and reflection | Adopt a learning orientation |
TRAINING COMPETENCIES TO HELP SURVIVE AND TRIUMPH IN A CRISIS
Crisis leadership can make or break an organisation. Strong crisis leaders recognise that actions speak louder than words, but they also understand the critical role of communication with stakeholders. They need to know what is happening and what actions will follow. Without clarity, there is a risk of misinformation, which can spread quickly and undermine stakeholder confidence.
Effective crisis leadership requires active listening, empathy, a clear purpose and direction, taking responsibility, making tough decisions under pressure, lateral thinking, and fearlessly facing the toughest challenges. The main objective is not only to survive the crisis but also to try and emerge stronger on the other side. Leaders build credibility and trust through consistent behaviour and honest communication. Crises are exceptional situations calling for special skills; years of savvy business experience and expertise do not, by default, generate effective crisis leaders. Recognising this is the starting point. It takes crisis leadership skills to steer an organisation through a crisis. Not all leaders will be able to demonstrate all these attributes in every crisis naturally. Leaders are often ill prepared for the pressures of a crisis, which can have an impact on their ability to make critical decisions. Yet even the most experienced leaders can learn, develop and practise the competencies needed to survive and triumph over a crisis. The willingness to learn helps to make for a strong crisis leader.
Organisations have traditionally conducted crisis training and exercise programmes, which crisis management team members are obligated to attend regularly. These programmes cover processes, best practice principles and scenario-based practices. They are designed to help prepare employees adeptly handle a crisis situation, but they rarely address the central aspect of crisis leadership competencies. It is necessary, however, to define and emphasise the core crisis leadership skills to enhance crisis management abilities in a more tangible way.
In 2002, based on years of research observing teams during crisis exercises and real-life events, CS&A International began to develop a crisis management competency framework. By 2008, it evolved into the Crisis Leadership Competency Protocol, otherwise called a model for assessing and enhancing crisis leadership skills. Based on defined crisis leadership competencies, it focuses on evaluating and training leaders against both hard (knowledge-based) and soft (behaviour-based) skills. Examples of knowledge-based crisis leadership competencies include communication skills, stakeholder mapping, and risk and issues framing. Examples of soft or behaviour-based competencies include sense making, empathy, assertiveness, active listening and thinking out of the box. CrisisApt™ has been applied across client organisations that have demonstrated notable improvement in their ability to lead under extremely testing circumstances and high levels of stress.
THE RELEVANCE OF TRADITIONAL LEADERSHIP COMPETENCIES IN A CYBER CRISIS
Given the rise in cyber-related organisational crises, do traditional leadership competencies, such as those identified by Wooten and James, that are considered effective in a typical crisis, also apply to a cyber crisis? A study by Salviotti, Abbatemarco, De Rossi, and Bjoernland (2023) analysed the Norsk Hydro case to examine whether these competencies hold up in a cyber crisis. The study showed that leadership competencies identified in traditional crisis management are just as, if not more, relevant in a cyber crisis as they are in any other crisis situation. Leaders need to foresee cyber risks and be cyber informed and aware. The study also indicated that issue selling is a crucial competence at the preparation and prevention stage, as it ensures awareness of cyber risks at the employee level, which is necessary to establish a common focus and create engagement around the topic. Notably, this was one area where there was poor communication between senior management, mid-level managers, and other employees at Norsk Hydro, which contributed to poor cyber awareness at all levels.
Above all, this emphasises the crucial need for cross-level collaboration and transparency to enhance an organisation’s cybersecurity position. Creativity and organisational agility proved to be vital leadership competencies beyond the preparation and prevention crisis phase. Norsk Hydro’s ability to adapt and work out how best to continue operating without access to its standard systems demonstrated creativity. Likewise, Norsk Hydro’s organisational agility served it well, especially with its positive organisational culture, strengthening the company’s efforts to overcome the crisis.
During the containment phase, communication and the ability to make decisions under pressure were among the most critical competencies necessary to handle the crisis properly. Norsk Hydro demonstrated that open and transparent communication, both internally and externally, was essential in maintaining high trust levels with employees, partners, providers and customers. The study emphasises that acting with integrity is a key competency at the business recovery stage, suggesting that transparency and openness can have a broader impact if practised from the start of the crisis.
Finally, the study notes that while the Wooten and James leadership competencies model specifies learning orientation at the post-crisis learning and reflection phase, it does not prescribe implementing learnings from the crisis. Salviotti et al emphasise that better cybersecurity awareness and organisational implementation can help build a cyber-resilient security culture that acts proactively rather than reactively.
CONCLUSION
Few of us are natural crisis leaders with the specific skills needed to lead in a crisis, cyber or otherwise. Effective crisis leadership is more than winning, losing, or finding the perfect solution in acute and volatile situations. It is about recognising that while it is seldom possible to control the events, crisis leaders can control how they and their organisations behave and respond. Given the scale and scope of cybersecurity risks, crisis leadership competencies are even more pertinent in ‘managing’ a cyber crisis. Firms such as CS&A International specialise in building crisis resilience and have the expertise to help leaders sharpen their crisis leadership competencies via assessments, training, customised software solutions and workshops. Proprietary tools such as the Crisis Management Competency Protocol provide a framework to evaluate and train leaders in hard and soft skills, which helps to strengthen their ability to respond and lead in a crisis effectively.
Cyberattacks have become more frequent and destructive and are a reality that all businesses must be prepared to face. A crisis plan is essential in preparation for any unforeseen event. The inevitability and uncertainty of a cyber threat take this preparation to a whole new level. Leaders must develop and refine their crisis leadership competencies to sustain stakeholder trust, navigate challenges, inspire their teams and prevent crises from turning into complete reputational meltdowns. It is time for businesses to become more intentional in developing the critical skills that will strengthen organisational resilience.
Caroline Sapriel is the Founder and Managing Partner of CS&A International, a specialist risk, crisis
and business continuity management company. Focusing on helping multinational organisations build crisis resilience, she works with multinational clients across industry sectors globally. With 30 years’ experience in risk and crisis management, Caroline is recognised as a leader in her profession and acknowledged for her ability to provide customised, results-driven counsel and training at the highest level. She is an accomplished trainer, facilitator and coach in risk issues and crisis management, as well as in communication skills. A Fellow of the International Association of Business Communicators, Caroline is a regular speaker on risk and crisis management at international conferences. She has published articles and co-authored two books on crisis management as well as contributed the chapter on crisis communication to the IABC Handbook of Organizational Communication. She lectures on crisis management at the University of Antwerp and the University of Leuven in Belgium as well as the University of Leiden in the Netherlands. Caroline is fluent in French, English, Spanish, Hebrew and Mandarin. She holds a BA degree in Chinese Studies and a BSc degree in International Relations from the Hebrew University of Jerusalem.
Comments