There is a question that is often asked in private but ever-present as the proverbial “elephant in the room” when it comes to the relationship between an organization’s information security (InfoSec) and crisis management functions: “Why is this always so difficult?”
Organizations face various daily threats, ranging from cyberattacks to natural disasters. Critical functions like information security and crisis management must effectively navigate these challenges.
However, despite their shared goal of safeguarding the organization, these teams often face friction. This article explores the potential root causes of this friction and offers strategies for fostering better collaboration.
Understanding the “Why”
Unsurprisingly, every organization, team, and person is unique, and how each approaches a disruption or crisis is unique. However, the root causes of friction, disagreement, or unwillingness to collaborate are common.
Let’s look at some of the differences and challenges that may contribute to friction in a response.
Differences in Objectives and Priorities
One of the primary sources of friction between information security and crisis management is the difference in their objectives and priorities. The Information Security team’s primary focus is to prevent cyber-related incidents. Their responsibilities include establishing and enforcing security protocols, implementing technical controls, minimizing vulnerabilities within the organization’s IT infrastructure, and monitoring the threat landscape.
In the event of an incident, the InfoSec team collaborates with other IT partners to assess the situation, contain the threat or loss of data, seek advice and support from third parties, work to remove the threat and facilitate recovery efforts, and cooperate with legal functions to meet regulatory and investigative requirements.
The crisis management function, which includes InfoSec as a member, ensures that the entire organization is prepared for, responds to, and recovers from all incidents that affect the organization. Its focus is to ensure consistency, flexibility, and alignment to create situational awareness, drive decisive decision-making, restore normal operations, and, most importantly, build trust, confidence, and partnerships among those affected or feeling the pressure of accountability.
Often, departments responsible for addressing specific issues and incidents, such as InfoSec, food safety, product recall, or individual stores or facilities, can feel conflicted about engaging a broader organizational response. They may feel obligated to solve or “fix” a situation on behalf of the organization to avoid embarrassment, distracting or bothering other teams unnecessarily, or the perception of overreacting.
Difference in Mandates
InfoSec’s primary mandate is to protect the organization’s data and IT assets. This involves ensuring information confidentiality, integrity, and availability, often through stringent controls and policies. Data breaches, unauthorized access, and other security incidents are significant threats that must be avoided at all costs.
While crisis management also concerns the protection of assets, it focuses on protecting the organization’s people and reputation and restoring normal operations quickly and safely. In a crisis, public perception and stakeholder trust become critical. The crisis management team must balance the technical aspects of the situation with the need to communicate effectively with stakeholders, restore critical business functions, ensure regulatory compliance, and resume normal operations.
This difference in priorities can lead to tension. For instance, in a data breach, InfoSec might want to delay public disclosure until the issue is fully understood and contained. At the same time, the crisis management team might push for immediate transparency to maintain public trust. The challenge lies in balancing these competing demands in a way that serves the organization’s best interests.
Differing Stakeholder Engagement
The differences in stakeholder engagement also contribute to the friction. InfoSec primarily engages with internal stakeholders such as IT teams, security personnel, and executive management. Their communication tends to be technical and detailed, often focused on the specifics of security controls and risk management.
On the other hand, crisis management must engage with a broader range of stakeholders, many of whom may not have a deep understanding of technical issues. This requires translating complex information into clear, actionable messages that resonate with diverse audiences. The need to simplify and communicate quickly can sometimes be perceived by InfoSec as a dilution of the essential technical nuances, leading to potential misunderstandings or disagreements.
Differences in Culture and Approach
The friction between information security and crisis management is not just about objectives but also the cultural and operational differences between the two functions. InfoSec is often a team or set of teams reporting to a single leader, like the Chief Information Security Officer (CISO). In contrast, a crisis management team is a cross-functional group representing different areas of the organization and reporting to various leaders.
The InfoSec team is typically composed of highly technical professionals who are detail-oriented and focused on the inner workings of IT systems. Their work involves a deep understanding of security protocols, encryption, network architecture, and other technical aspects of cybersecurity. This technical focus often leads to a structured and systematic approach to problem-solving, with a heavy reliance on established procedures and protocols.
While this approach is essential for maintaining robust security, it can sometimes create a perception of rigidity. When a crisis occurs, the need for flexibility and rapid decision-making can clash with InfoSec’s preference for thorough analysis and adherence to established procedures.
In contrast, the crisis management function is centered around cross-functional communication, collaboration, and quick decision-making. Members of a crisis management team members engage with a wide range of stakeholders, including employees, customers, media, regulators, and the public. Like InfoSec, they are professionals with expertise and experience in their specific areas but lack the knowledge and skills necessary to facilitate an effective response independently.
Challenges in Collaboration
Given the differences in objectives, culture, and approach, it’s no surprise that collaboration between InfoSec and crisis management can be challenging.
Siloed Operations
One of the biggest challenges is the tendency for these functions to operate in silos. Information Security and crisis management often work independently, with limited interaction outside of actual crises. This lack of regular communication can lead to misalignment, as each team develops its own processes and priorities without fully considering the other’s perspective.
When a crisis does occur, the lack of established collaboration frameworks can exacerbate the friction. Teams may struggle to coordinate effectively, leading to delays, conflicting messages, and inefficiencies in the response effort.
Communication Gaps
Communication gaps are another significant challenge. The technical jargon InfoSec professionals use can be difficult to understand for non-technical stakeholders, including those in crisis management. Conversely, crisis management’s focus on communication strategies and stakeholder engagement may seem superficial or overly simplistic to InfoSec professionals.
These communication gaps can lead to misunderstandings and misaligned expectations. For example, InfoSec might assume that crisis management understands certain technical details. In contrast, crisis management might assume that InfoSec is fully aware of the reputational risks involved in a particular response strategy.
Conflicting Agendas During a Crisis
The pressure of a live crisis can bring these challenges to the forefront. Both functions must act quickly during a crisis, but their differing agendas can lead to conflict. For instance, InfoSec might prioritize isolating a compromised system to prevent further damage, while crisis management might focus on maintaining operational continuity to avoid public panic.
These conflicting agendas can result in a tug-of-war over decision-making authority, with each team advocating for its approach. Without clear protocols and mutual understanding, this can lead to delays, confusion, and a less effective overall response.
Strategies for Reducing Friction
Organizations can implement several strategies to address these challenges and foster better collaboration between InfoSec and crisis management.
Cross-Functional Training and Awareness
One of the most effective ways to reduce friction is to promote cross-functional training and awareness. Organizations can build mutual understanding and respect by educating each team on the other’s priorities, challenges, and processes. For example, InfoSec professionals could participate in crisis communication workshops, while crisis management teams could receive training on basic cybersecurity principles.
This cross-training helps to break down silos and ensures that both teams are better equipped to understand and support each other’s objectives.
Joint Crisis Simulations
Another powerful tool is joint crisis simulations. These exercises allow both teams to practice working together in a controlled environment, testing their response strategies, communication protocols, and decision-making processes.
By simulating real-world scenarios, organizations can identify and address potential friction points before a real crisis occurs. These simulations also help to build trust and establish clear roles and responsibilities for each team.
Integrated Communication Channels
Establishing transparent and integrated communication channels is also critical. Time is of the essence during a crisis, and any delays or misunderstandings can have serious consequences. Organizations can ensure that information flows smoothly and decisions are made quickly by setting up dedicated communication channels that both teams can access.
These channels should be tested and refined regularly to ensure they remain effective. Additionally, organizations should establish protocols for escalating issues to senior management when necessary to avoid decision-making bottlenecks.
Shared Goals and Metrics
Finally, aligning both functions under shared goals and metrics can help to reduce friction. Organizations can encourage InfoSec and crisis management teams to work together towards the same outcomes by defining common objectives related to organizational resilience and risk management.
For example, both teams could be evaluated on their ability to minimize the impact of a crisis on business operations rather than being judged solely on their individual performance metrics. This shared accountability helps to foster collaboration and reduces the likelihood of conflicting agendas.
Conclusion
Friction between an organization’s InfoSec and crisis management functions is expected but not inevitable. By understanding the root causes of this friction—whether it’s differences in objectives, culture, or communication—organizations can take proactive steps to bridge the gap between these critical functions.
Organizations can foster a more collaborative environment that enhances their overall resilience through cross-functional training, joint simulations, integrated communication channels, and aligned goals. In today’s rapidly evolving threat landscape, this collaboration is not just beneficial—it’s essential. By working together, InfoSec and crisis management teams can ensure they are fully prepared to protect the organization, its assets, and its reputation, no matter the challenges.
Want to work with us and learn more about crisis management?
- Our proprietary Resiliency Diagnosis process is the perfect way to advance your crisis management, business continuity, and crisis communications program. Our thorough standards-based review culminates in a full report, maturity model scoring, and a clear set of recommendations for improvement.
- Our Exercise in a Box product contains 15 simple tabletop exercise scenarios that your business leaders can utilize for crisis microsimulations with minimal involvement from your team.
- With our Exercise in a Day™️ product, you’ll get a comprehensive, ready-to-execute crisis tabletop exercise developed by our team of experts in just one day. Optionally, we’ll even facilitate the exercise and write an after-action report.
- Our Crisis Management services help you rapidly implement and mature your program to ensure your organization is prepared for what lies ahead.
- Our Ultimate Guide to Crisis Management contains everything you need to know about Crisis Management.
- Our Free Crisis Management 101 Introductory Course may help you with an introduction to the world of crisis management – and help prepare your organization for the next major crisis.
- Our Crisis Management Academy®️ is the only program of its kind that provides the knowledge you need to build a strong & effective crisis management program for your organization and leaves you with the confidence that you’re putting the right program, framework, and plans in place to enable your business to manage through a critical moment.
- Learn about our Free Resources, including articles, a resource library, white papers, reports, free introductory courses, webinars, and more.
- Set up an initial call with us to chat further about how we might be able to work together.
Integrating Cybersecurity into Business Continuity Planning: A Comprehensive Guide