In a really useful speech by Sir James Bevan, chief executive of the Environment Agency, to the Whitehall and Industry Group, 7 July 2020, Bevan outlined how the Environment Agency handles incidents, giving his Top Tips for good incident management - and they transfer remarkably well for cybersecurity.
Bevan prefaced the list by quoting President Kennedy: “Good judgement is usually the result of experience. And experience is frequently the result of bad judgement”, hence he added, “what I have learnt about incident management during my career has come as much from making mistakes as it has from getting it right.”
Top tips for incident management
If you are your organisation’s leader, you need to lead the response to a big incident. Don’t try and do the day job as well. The incident is the day job till it’s over. This is the moment when your organisation’s reputation will be won or lost, possibly for ever. So it’s worth your time. Be decisive: be prepared to take big decisions. In an incident the biggest risk is not taking a decision that later proves to be wrong (some always will): the biggest risk is not taking a decision at all, or taking it too late. You will not have all the facts: decide anyway.
Flick the switch early to put your organisation into incident mode. If you don’t get ahead of the curve you will never catch up. So over-resource at the start: people, kit, whatever. You can always scale back later. Establish your battle rhythm immediately – which meetings when with whom to do what - and clear roles and responsibilities.
Get on the ground:
The absent are always wrong. Being present and visible at the scene of an incident is as important as what you do when you get there. So get yourself and your team to the scene as soon as possible.
Have a strategy:
Be clear what your goals are and ensure everyone in your team knows. Be ready to adjust your strategy as the situation changes, because it will.
Win the air war:
The media battle (the air war) is as much a part of the incident as your operational response (the ground war). You need to win both. So use the media: don’t shy away from it. Have a simple message and keep on saying it. Get the tone right: calm, authoritative, empathetic, commitment to do what’s needed. Accept the inevitability of critical reporting: it’s not personal. It will go away.
We all have bosses. Tell them what you are doing and listen to what they want.
Look after your staff’s wellbeing and your own. Ensure everyone is fed and watered and gets a break, including you. Tired people make bad decisions.
Be ready beforehand:
Have an incident plan and practice beforehand. No plan will survive contact with reality, but it’s better than not having one. Time spent in preparation is never wasted: what you do in peacetime is reflected in how you perform during the incident.
Learn the lessons afterwards:
It will never be perfect. But each time you do something right or wrong, you will learn valuable lessons for next time. Do a wash up afterwards, write down the main lessons and keep them handy. You will need them again.
Bevan concludes: “I can sum all this up in six words we use in the EA to guide our incident response: Think Big, Act Early, Be Visible.”