A cyber crisis rarely announces itself neatly. There’s no starting gun, and almost never immediate, complete clarity. There’s a report, a suspicion, a few signals that don’t add up. And meanwhile, everyone is looking at the same people in the organization with one expectation: take control and fix it.
According to Cees Berrens, that is exactly the heart of cyber crisis readiness. It’s not about a document sitting somewhere on a drive, but about how your team responds when the pressure is high and the information is incomplete. As Managing Partner at Heimdallr, he works on digital resilience around themes such as Sovereign Cloud and Zero Trust. In addition, he trains crisis and incident teams at CCRC through realistic simulations. His experience, also in demanding environments within government and the financial sector, has led him to one conviction: a crisis plan is useful, but readiness lives in behavior. And you only sharpen that behavior through practice.
The first 60 minutes set the tone
What Cees often sees first in crisis simulations isn’t a wrong technical decision, but a human pattern. “Everyone slips into their own reflex. One person wants to act immediately, another freezes, someone else gets tangled in details or waits for confirmation. That creates noise, and that noise costs time. Time you simply don’t have in the early phase of an incident.”
That’s why he insists on one question that sounds almost too simple, but makes all the difference in practice: “What are we actually looking at?” By that he doesn’t just mean a technical analysis, but above all a shared reality check. Cees explains: “Ask yourselves: what do we know for sure? What do we suspect? What is the impact on operations, data and continuity? What’s still uncertain? Only when you align that in the same room can you make choices that are based on something. And practice is crucial here.
I always compare it to elite sports: you can’t expect to perform at the highest level if you’ve only theoretically talked through what you should do a couple of times. Put someone untrained at the top of an Olympic downhill run and you already know how that ends. In a crisis it’s the same. Something is expected of you, there’s pressure from outside, pressure from inside, and that’s exactly when roles and routines often turn out to be less clear than you thought.”
Structure creates calm
That structure doesn’t appear by itself. According to Cees, cyber crisis management is above all teamwork: everyone brings their own role and specialty, and it’s precisely that combination that makes you effective. At the same time, you need someone to maintain control when pressure rises: the crisis manager/chair as the director. “Not because they know the most, but because in chaos you need someone who keeps the process tight: priorities, rhythm, decision-making and follow-up.” Cees sees that clear leadership during a crisis is often decisive in how quickly a team regains control.
He likes to use a fixed approach: first gather findings, then collectively form judgment, and only then make decisions. And immediately schedule a follow-up meeting, so everyone knows when you’ll return to actions and new information. In his experience, structure brings calm, and calm is exactly what you need to keep thinking clearly under pressure.
Discipline is part of that as well. In many crisis situations, a team is literally being called nonstop, both internally and externally. People want updates, executives have questions, colleagues look for certainty. If you don’t steer that, all attention shifts to ad hoc communication and the team loses focus.
Cees is clear about it: “Shield the team where necessary and make agreements immediately: who is the spokesperson, who stays in touch with the board, who liaises with suppliers, and who keeps the pace within the team.” In addition, from minute one there should be someone maintaining the action and decision log. Not as an administrative side task, but as the backbone of your crisis approach: which actions have been assigned, by whom, with what deadline; which facts have been confirmed; which decisions have been made and on what basis.
“That log doesn’t just help with accountability afterward, but especially during the crisis itself. It prevents duplicate work, enables handovers between shifts, and ensures that if the situation shifts again, you can immediately pick up what has already been done, and why.”
What needs to be arranged beforehand
If you ask him what must be in place before a crisis to avoid hassle, he comes back to three basic conditions: “Structure, role division and leadership. It sounds almost obvious, but in exercises I often see these as pain points. Structure is about how you scale up, how you meet, how you make decisions and how you maintain that rhythm. Role division is about mandate and tasks. Who chairs, who communicates, who keeps the log, who liaises with suppliers. Leadership is about daring to take responsibility, even when not everything is certain yet. So these are extremely important.”
He also points out a practical issue that many crisis plans underestimate. “You don’t assemble a crisis team in five minutes. Someone is in a meeting, someone is on the road, someone is off, someone is in the middle of an appointment that can’t just stop. A plan that assumes a perfect start fails the moment things go wrong. So you need to practice with that reality, including the time it takes to gather, coordinate and escalate.”
Where it goes wrong between the incident team and executive leadership
A recurring tension in cyber crises is collaboration between incident teams and the C-level. Cees sees that it often fails on language: “Technical teams describe what’s happening in terms of systems, logs and tooling. Executives have to make decisions based on impact, risk and obligations. If that translation is missing, executives disengage or the incident gets downplayed. On top of that, many people prefer to avoid the word ‘crisis’ because it immediately feels like hassle, reputational risk and escalation. But that avoidance often makes things worse.”
Cees notices that incident teams sometimes stay too technical, while executives need meaning: what’s at stake, what’s the damage if we do nothing, and what are the options. His advice is to train “board language” as a skill. “Start with the consequences: what does this mean for operations? For financial damage? For reputation and legal obligations? If you have that clear, you can get decisions made faster at the right level.”
The nuance behind hesitant leadership
“In many environments, an attacker doesn’t need to break in spectacularly; they can often simply log in. And once someone is inside, in traditional environments they can often move too far because the implicit assumption is trust. You log in and you can access everything.” That’s why Cees also links crisis readiness to the choices you make before the crisis. Zero Trust isn’t a product, but an architecture in which trust is made explicit. Access is verified at every step and for every resource, reducing an attacker’s freedom of movement and making anomalous behavior visible sooner.
He says the same applies to Sovereign Cloud. “That’s not a label you stick on a vendor either, but a stack of choices you build deliberately, depending on risk, data and dependencies. Especially with sensitive information and geopolitical developments, that’s not just a security question, it’s also a continuity question.”
Realistic scenarios make readiness visible
What matters most to Cees? Realistic scenarios. “Not because it’s fun, but because they show mercilessly where your organization gets stuck in practice. An exercise is only valuable if it doesn’t stop at awareness, but leads to action. You know it now, so what are you going to do differently?”
That urgency is connected to how work has changed. “We work hybrid, we’re distributed, and a lot runs in the cloud. That makes the attack surface bigger than ever. It’s no longer one office network you’re defending. And that’s exactly why cyber crisis readiness is no longer an appendix. It’s a skill you train, a structure you build, and a way of working together that you must be able to reproduce at the moment when nobody has the luxury of thinking calmly.”