Jochem Smit is a Senior Crisis Management Trainer at CCRC and brings hands-on experience from real ransomware incidents. At Northwave, he was one of four senior crisis managers responding to major cyber incidents. “They were all ransomware cases.”
In those situations, an organization’s infrastructure is partly or completely down. Companies, often via their insurer, quickly bring in external support to become safe, clean, and operational again. In this interview, Jochem shares what he sees in the heat of the moment, why training makes the difference, and which roles are almost always missing when it matters most.
Ransomware starts as technical, but becomes executive within hours
Ransomware attacks often begin as an IT problem, but quickly turn into a full business crisis. Not only do systems go down, but so do HR, finance, and logistics. In one incident in Germany, Jochem was called when “everything was already down, from the finance department to HR, and therefore also everything in production. Nothing worked anymore.”
When you walk into that situation, you feel what it means for an organization. “I’d almost say 80 percent of people had been sent home, because so many employees couldn’t do anything. Production halls were empty. There was one crisis room where senior managers and the board tried to set up a meeting structure, and the IT department was operating at maximum capacity. People were even called back from vacation.”
This highlights a key point for Jochem: many organizations underestimate both the scale and the duration. A week and a half to two weeks is a best case just to regain some control, but it can also take a month. And before full functionality is back, you are talking about months. The crisis is not a short spike. It becomes a sustained strain on people, processes, and decision-making.
The business wants to move on, security wants certainty
One of the most intense frictions in almost every incident, Jochem says, is between security and the business. Security wants a comprehensive, 100 percent certain solution, but that takes time, money, and energy. The business sees it differently: operations must continue. Sometimes because production is halted, sometimes because a merger or acquisition is underway, sometimes because customer obligations create pressure.
“That mismatch is significant. Safety is often not the decisive factor, but ‘getting back into production as quickly as possible at any cost’ is. That leads to compromises. Not everything is rebuilt from scratch in a secure way. Instead, choices are made to ‘get it working again,’ despite the risks. The consequences can be enormous.”
That is exactly why Jochem believes training is so important: these trade-offs are not only technical. They are business decisions with direct impact on revenue, continuity, governance, and reputation.
The aftermath is often worse than the attack
What affects Jochem most is not only the initial chaos, but what happens afterwards. He explains that they did extensive research into the post-incident period. “It shows that the aftermath is many times worse than what you experience in those first two or three weeks.”
People often end up with sleep problems, concentration issues, and feelings of guilt. Sometimes the impact is extreme. Some people decide they never want to return to an organization where this could happen again. The lesson is hard and practical: “In a crisis, you have to protect people from their own ‘good intentions.’ Companies often want to push through, accelerate, and think: we’ll be back online tomorrow. But it doesn’t work that way.”
How to make an exercise feel real: connect it to what it means for them
Jochem fully believes in exercises and training. “Everyone who has lived through a situation like this will always say: we should have trained more.” But he also knows how difficult it is to recreate stress and urgency safely. His solution is to tailor it to the people in front of you. “Scenarios don’t have to be a one-to-one match, but you do have to translate what it means for that organization. Otherwise people disengage and say: this won’t happen to us, this doesn’t apply, we would handle it differently. Then you can tell you haven’t really hit them where they would feel the pain.”
Decision-making: appoint a decision-maker and train that role
When it comes to crisis decision-making, Jochem says: “Start by naming who decides. Name them explicitly. And appoint a backup. Not automatically the CEO, but someone who understands the shop floor and can carry the responsibility.”
Then train that person specifically for the moments where things go wrong: the first signal, the start of an incident, the moment it still seems small but can escalate quickly. “That is exactly when many people think: this is still minor. But that is precisely the moment when acting can limit the impact.”
In trainings, he lets people feel what that role means, for example what it means to shut down production. When do you do it, when not, what are the financial consequences, and how do you explain it?
What he often sees go wrong in practice is hierarchy slowing decisions down. Choices are escalated upward, while those people are sometimes too far removed from the reality on the ground. His preference is someone in the company who dares to say: this is the risk, I need a yes or no. Or even: I say yes, are you comfortable with the consequences?
The role that is almost always missing: the logger
Finally, Jochem points to a role he rarely sees properly filled, even in large organizations with formal crisis teams: a dedicated scribe. There are different names for this role, and within CCRC they use the term “logger.”
Not someone who “also takes minutes on the side,” but someone who understands what is happening and captures who says what, which choices are made, and which actions sit with whom. A good logger also asks the probing questions when the team drifts off course.
He describes how a strong logger can lift a crisis team in a very tangible way: “You pull the team out of the chaos and back to overview. You check whether real judgement has taken place, or whether everyone is charging after one solution like headless chickens.” It also delivers something that is becoming increasingly important: an audit trail for insurers, regulation, and accountability afterwards.
That is why, in his view, this role should be trained as well, and supported with tools or templates. Preferably offline, so you are not dependent on systems that may not be available.