Martin de Vries is CISO at VDL. Before that, he held the same role at Eindhoven University of Technology (TU/e), where he experienced up close how a cyber crisis can turn an organisation upside down in an instant. In this interview, Martin shares what crisis exercises actually mean when it’s real. How practising ensures you don’t first have to figure out who leads, who takes notes, who decides, but can act immediately. And why, in the first few hours, that quite literally makes the difference.
Practising saves time when you don’t have any
Anyone who sees crisis exercises as a box-ticking exercise is missing the point. Martin sees practising as something that makes your organisation faster at the moment everything is under pressure. He says: “In most sectors it’s not about life and death, but it is about continuity, trust, and enormous impact. It’s the same principle as skilled professionals who don’t have to search for their basic routine under pressure. A firefighter who can grab his gear blind. A doctor who doesn’t need to leaf through a manual before performing surgery.”
In a cyber crisis, you don’t have room for discussions about fundamentals. You want the basics to happen automatically, so you can focus on analysis, mitigation, and recovery.
No noise thanks to clear role allocation
Martin describes what a crisis organisation looks like in practice: multiple layers that need to run at the same time. A technical solution group that maps what happened. A layer above that focusing primarily on systems and the recovery sequence. And above that, the central crisis management team, which has to manage the impact across the entire organisation, as at TU/e: education, research, HR, salary payments, everything that grinds to a halt when systems go down.
According to Martin, the difference between chaos and control often comes down to something simple: everyone needs to know which role they take. He saw this happen at TU/e. Because roles and routines had been defined in exercises, there was no real-life discussion about who minutes the meeting, who chairs it, who records decisions.
“You look around and see who’s there; especially at night, staffing is never as complete as in the TU/e scenario, and the roles get filled. And that’s exactly what buys you time: no delays due to role confusion, no energy lost on coordination you could have handled in advance.”
The quiet success factor: enough people to rotate
Martin stresses that your crisis organisation needs multiple people who can step into the same role. “Not everyone is available during a crisis due to holidays, illness, or private circumstances. And a crisis almost never lasts just one day. At TU/e, the acute phase lasted a week, and even after that it wasn’t business as usual. Sometimes the aftermath lasts for months.”
At TU/e, after Sunday there was more control and a workable cadence: long days, but going home again in the evenings. Still, rotation remains crucial. He also notes that teams sometimes struggle to go home while others keep working. “That’s exactly when leadership has to dare to intervene: send people home, against their own reflex, because otherwise you’ll get dropouts later.”
A related topic that, according to Martin, structurally receives too little attention is the mental impact of a cyber crisis. He refers to research by Northwave that shows how significant that impact can be. Cyber crises can lead to burnout symptoms and even PTSD-like complaints, precisely because the pressure is high and sustained over time. His message: “Think about aftercare during the crisis itself. Protect people against themselves. That’s not a soft add-on, it’s part of effective crisis management.”
The practical tip: plan as if your entire IT is down
If Martin had to give one tip that organisations could apply tomorrow, it would be this: assume the worst-case scenario where your entire IT landscape is unavailable. “In a crisis, many organisations still think too quickly: we’ll schedule a call or share a document. But what if you can’t? Then suddenly simple things become critical: where is your call list, how do you capture decisions, how do you collaborate, how do you keep an overview?”
Martin therefore advises having an emergency fallback ready: analogue, or a separate digital collaboration tool outside your primary environment. Precisely because at TU/e, communication was still possible in the first hours, but later, the plug literally had to be pulled to regain control.
From university to manufacturing: OT and the supply chain make it even more tangible
In his current role at VDL, Martin sees added complexity. IT downtime isn’t just “inconvenient”; it can stop production. Nothing comes off the line. And in an OT context, it can even affect physical safety: processes, machines, hazardous substances.
He also points to the supply chain. “In Western Europe we’ve become extremely good at just-in-time supply chain systems; efficient, but fragile. An incident at you, or at a supplier, can have an immediate knock-on effect. That’s why supply chain exercising isn’t a luxury, it’s necessary.”
His closing call to action is therefore: “Don’t look only internally, practise across the chain as well. Check scenarios with your network. Test whether processes align. Ask the simple question: if your supplier gets hit, do you receive a signal in time? And if you get hit, can you quickly inform your suppliers so logistics and expectations stay aligned? And it doesn’t have to be complicated. Grab a cup of coffee, put your scenarios next to each other, and talk it through. It’s precisely through those conversations that your resilience grows, together.”