Real crisis capability isn’t built through longer plans or thicker binders. It’s built through practice.
You don’t have to wait for lightning to strike.
In policing and emergency services, frequent exercising creates organisational “muscle memory”. Leaders and teams learn how they, and others, behave under pressure, where authority sits, and how to adapt when plans no longer fit reality.
This was how we trained at the Metropolitan Police, but the same principles apply to organisations facing cyber risk.
It’s why Sir Roly Keating, Chief Executive of the British Library when it was attacked in 2023, says “boards should make it a priority to have a regularly tested incident management plan in place”.
Well-designed scenario exercises allow leadership teams to rehearse:
- making decisions with incomplete information
- clarifying authority and escalation
- balancing operational, legal and reputational risk
- communicating under pressure
- working across silos as one leadership team
- how to deploy resources at pace
This doesn’t require months of preparation. A small number of realistic exercises quickly reveal:
- where decision-making slows
- where roles blur or conflict
- where communications break down
Crucially, they do so without real-world consequences.
Frameworks and decision models help not because they provide scripts, but because they legitimise judgement under uncertainty. This creates defensible decision-making at pace, efficiently documented in case of future legal or regulatory challenges.
Effective exercises involve senior leaders and incident management teams working in parallel, testing escalation, delegation and coordination, building relationships that work under pressure.
People should feel safe to challenge, share bad news early and communicate transparently. Their leaders make sense from ambiguity, adapt plans and distribute decision-making. They show empathy for the team and encourage innovation.
The return on investment is disproportionate:
- faster, calmer decisions
- clearer communication
- reduced reputational damage
- greater board confidence
Cyber crises are increasingly inevitable. Leadership failure is not.
You will build resilience and flexibility, and your leaders’ ability to adapt and change.
Turning crisis into opportunity.
If these articles have raised questions about your organisation’s readiness, we’d welcome a conversation.
Crisis Capable 
Leave a comment