CSO Perspectives: Tabletop Exercise Demonstrates Crisis Management Challenge

Delcom Communications isn't a real company, but the table top scenario about the fictional Midwestern communications company was probably all too real for many attendees here at CSO Perspectives in Colorado Springs. It was a case of intellectual property theft.

The scene: Delcom suffered an attempted breaking and entering. What's more, a lab that housed a secret R&D project was accessed with a swipe card that had been reported missing some time ago. That lab was the site of a project at the heart of the struggling company's turnaround strategy. All of this took place just weeks before Delcom's annual shareholder's meeting, and already the media was asking questions.

Attendees were assigned roles, from crisis response team to police, to media, to a small outside contracting firm that immediately drew suspicion. The table top exercise unfolded in three segments and during each segment, participants roamed the room, talking to other entities. Police talked to Delcom's crisis team. Media poked around everywhere. At the end of each segment teams were to report on what they learned and steps they had taken. Discussion ensued.

The first segment focused on immediate response upon learning of a potential breach. And most of the Delcom crisis response teams (there were four Delcoms, to elicit varying responses to the crisis for discussion) agreed on the steps to take: Gather the team. Learn what we can, try to rebuff the media, and proceed from there. So far, so good.

Segment two brought much more disagreement and discussion. At this point, participants learned, Delcom shut the police out of the investigation and decided to handle it internally. What's more, the story was all over the news. The R&D project's leader formed his own response team independent of the Crisis Management team in place and actually hired an outside forensics investigator to look into the breach on the R&D project's computers. This is when opinions diverged greatly. Some participants felt daily press briefings would help "control messages out there" while others said the less access to the press the better.

One Delcom group decided to merge the R&D leader's crisis team with the initial crisis management team, while another management team decided to "wind down" and let the other team take the lead at that point. Both sides argued their reasoning well, the merged team trying to create a unified voice, while the winding down team clearly wanted out of an investigation getting out of control.

There was also good discussion on whether to include the police. Some said, since they weren't interested in criminal charges, police would just get in the way and it would be harder to control the investigation. Others said bringing in the FBI would help "since they're better at keeping their mouths shut to the press."

Finally, for comic relief, one team invited the police to Delcom's corporate cafeteria to eat, "but we weren't going to talk to them" which brought out more laughs. Still, good ideas were generated from each position.

Segment three brought matters to a head but those looking for a whodunit kind of closure would be disappointed. By this time, Delcom employees were talking to the press anonymously about how unfairly they were being treated by the internal investigators and pointing the fingers at contract employees from a foreign firm. That firm was trying to protect its reputation and its employees from potentially illegal interviews of them during the investigation without their employer's consent. And the media is running not only with the potential loss of proprietary data story and now the story about unfair internal investigation practices. The matter is out of hand.

As the scenario unfolded gradually, the moderators of the exercise shared insights to help security executives manage crises.

Radford Jones and Brit Weber, both academic specialists from Michigan State University's School of Criminal Justice who served as moderators of the tabletop exercise, emphasized that it's essential for security executives to establish relationships with a number of parties before a crisis occurs. Among those parties:

* local, state and federal law enforcement agencies

* local, state and federal emergency management agencies

* local and regional media

Jones, for example, said he invited some media representatives to crisis simulations when he worked as security chief at Ford Motor. And Weber told participants that the first time they exchange business cards with law enforcement officers should be well before a crisis erupts, not after.

Such pre-existing relationships were not possible, of course, in a room full of 51 participants meeting for a simulation exercise, many of whom were playing roles that were unfamiliar to them. An observer was left to wonder if trustworthy relationships did exist, would there have been more cooperation between the leaders of Delcom Communications and local police, for example?

Other issues that came up:

* Crisis management emphasizes the protection of life and health of employees, the protection of company assets. It requires decision-making at the appropriate level -- for example, the CEO, or the CEO's designee; defined lines of responsibilities in the midst of collective decision-making. The efforts also need to support the pursuit of business objectives.

* The CEO, crisis management and response teams and head of media relations need to be on the same page about how to communicate with the media (and stockholders in the case of public companies).

* There needs to be clearly spelled out relationships with contract workers; in general, security executives need to get the contractor to agree to allow their workers to be questioned in an in-house investigation.

* Crisis management teams need to be convened when a crisis happens, and continue in existence until the issue is resolved.

* Crisis preparedness entails: risk assessment and vulnerability assessments; planning; training including simulation or tabletop exercises; and mitigation, that is, changing or working on anything that can reduce risk in case of a crisis.

A reminder for participants came at the end of the exercise: Not every investigation ends up with clear answers. Not every case gets solved. In fact, Delcom never gets to the bottom of the matter, a part of the exercise moderator Radford Jones likes because "that happens with a lot of investigations. You never get to the bottom of it."

In the end, many executives at Delcom are fired or "retire" and a foreign competitor announces that it is prepared to launch a revolutionary product much like the one Delcom R&D was working on.

-- Scott Berinato and Michael Goldberg

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)