Chris van ‘t Hof, as director of DIVD, is used to seeing vulnerabilities before they become incidents. But in CCRC crisis training, he sits on the other side of the spectrum: there he sees what happens once things do go wrong and how quickly a technical problem turns into a management stress test.
He writes and thinks extensively about that human dynamic under pressure. It’s no coincidence that he opens his book Cyber Misery Has Never Been This Fun with lessons from crisis exercises: because you only learn what your organization is worth when roles, decisions, and communication are all under pressure simultaneously. In this interview, Chris explains what makes CCRC exercises sharp: starting with the technical aspects, steering on role clarity, and letting teams experience that ‘being busy’ is something different from being in control.
Start with the technology, so that it quickly becomes about choices
How does Chris prefer to start his training at an organization through CCRC? Not with a general story about ‘ransomware on Monday morning,’ but with something small and technical that immediately creates credible friction. “I actually start very technically. Then the tech people have to explain to their CEO what’s going on, and the exercise has already begun.”
According to Chris, that first quarter hour is exactly where organizations betray themselves. Because if IT can’t translate the situation into impact, noise emerges. And noise creates reflexes: ad hoc actions, random phone calls, everyone starts fixing something simultaneously. While a crisis actually requires structure.
“Create a diagram: what’s located where, how it’s connected, which suppliers. A technical scenario then unfolds from that, allowing the impact on other departments to be mapped out. The effect is that a crisis doesn’t remain an IT party. HR, legal, communications, finance, and operations feel when they must step in and what happens if they’re too late.”
The biggest mistake isn’t technical: teams assume their ‘natural’ roles
When asked what management/board most often does wrong in the first 60 minutes, Chris is remarkably consistent. Not: wrong tool. Not: wrong patch policy. But: the organization gets stuck in the daily role distribution.
“The first mistake is that they get stuck in their daily roles. The CEO automatically becomes chairperson, department heads continue managing their own sections, and everyone starts working simultaneously. In that panic, the role that makes a crisis manageable is often forgotten: the logger. This isn’t a note-taker, by the way, but a role that helps the chairperson work in a rhythm: gathering facts, interpreting them together, making decisions, setting out actions, and following up. Very cyclical. Without that rhythm, you get a crisis team that works very hard but doesn’t visibly steer.”
He often sees it happen: halfway through, someone joins (board, client, supplier, insurer, regulator) and there’s no timeline, no decision logic, no overview. Then ‘information’ becomes a pile of loose fragments. And that’s exactly where crises slip: not because people do nothing, but because no one can explain anymore why something is happening and what the next step is.
Role clarity isn’t a formality, it determines whether you maintain control
That focus on role distribution keeps coming back in how Chris views leadership under pressure. A crisis team often has the same people as daily operations, but a crisis requires different reflexes: less micromanagement, more frameworks. Less ‘I’ll fix it,’ more ‘how do we maintain overview, pace, and decision quality.’
That’s why he’s cautious about automatism (‘the highest in rank automatically leads’). Not because a director doesn’t belong there, quite the opposite. But because chairmanship is a separate profession: someone must guard energy, make decisions explicit, and pull the group out of incident mode. He puts it succinctly: “A real crisis requires a different role distribution than daily operations. I’m director of DIVD myself, but if there’s a crisis, I hand it over to our crisis manager. They’re much better at it. And it could very well be that the crisis was caused by my policy.”
That role clarity goes beyond titles. Chris regularly sees someone without great ‘formal weight’ suddenly become essential because they ask the right questions or maintain overview. While the usual suspects sometimes overshoot in decisiveness: calling everyone, distributing tasks themselves, communicating simultaneously without coordination. In an exercise, this becomes painfully visible and precisely therefore valuable. Because the conversation afterward isn’t about ‘better communication’ as a container concept, but about concrete behavior: who sat where, who had mandate, who logged, who translated, who decided, and what were the consequences?
Practice is only real practice when the scenario moves along and the chain participates
Chris is critical of standard scenarios that every client goes through the same way. Not because those scenarios are never relevant, but because organizations then mainly learn to play the game. “That doesn’t help people. I prefer customization and dynamics, a scenario that moves with choices. If teams do X, then the effect becomes Y. If they switch off too early, then a business continuity problem arises. If they wait too long with communication, then reputation or legal pressure emerges. That’s exactly how it works in real life too.”
And then there’s a second accelerator that makes CCRC strong according to Chris: the chain. “Many organizations can practice fine within their own walls, but are often surprised as soon as a supplier, acquisition, or shared IT dependency tilts things. If something happens that’s outside our control but does affect our systems, what are we going to do?”
By including partners or suppliers, you’re not only practicing your own process, but also coordination: sharing information, managing expectations, escalating, communicating, agreements about recovery and responsibility. So you’re not practicing control, but dependency, and that’s more realistic.