Hans van der Net has worked at Rabobank for sixteen years and has spent most of that time operating at the intersection of IT and business. In his current role he wears two hats: he's responsible for security strategy and policy, and he also serves as Deputy CISO. That combination keeps him sharp, because policy only really takes on meaning when you see how the organisation moves once things get tense.
That execution side comes to the surface nowhere more clearly than during cyber crisis exercises. Within Rabobank, Hans is responsible for the cybersecurity crisis processes, and therefore also for organising the exercises. And as soon as you bring up the topic of practice with him, the conversation isn't about a one-off tabletop on a Friday afternoon. It's about structure, rhythm and repetition. Because a crisis is rarely a moment. It's a period in which you have to keep navigating under pressure.
Not 'one crisis team', but layers with pressure to act and pressure to decide
At Rabobank, crisis management is built up in layers. The Crisis Operation Team (COT) identifies the problem and solves it technically. Above that sits the Crisis Management Team (CMT), which takes decisions, brings the business on board and organises communication and mandate. In a bank, that escalation path runs further, through additional crisis structures all the way up to Managing Board level.
Hans is responsible for the bottom two layers: the security COT and the security CMT. That layering isn't only organisational. It allows teams to act at the right level. And that's where it often goes wrong: teams stay in solving mode for too long, while the situation calls for decisions to be made.
According to Hans, exercises aren't really about the content of an attack. "Scenarios have to be realistic, otherwise the group disengages. You still see people saying 'this would never happen', and at that point your exercise derails. But the real work only starts after that, because the scenario is mainly a means to an end. The scenario creates the pressure, the tension and the dynamics. But the learning objectives are: do you know the structure? Do you know which steps to take? When do you need to escalate?"
Turnover within crisis teams is unavoidable. "That's exactly why exercises are so important. The first crisis you deal with is always the most nerve-racking one." Rabobank therefore deliberately mixes experienced and inexperienced team members. There's an onboarding for newcomers, with explanations of expectations and tools. "The real dynamic only lands on the table the moment you end up in an actual crisis. Practising surfaces that tension at a moment when it's still allowed to."
Where it often goes wrong: not claiming the mandate
The solving team usually does what it's set up to do. Things go wrong when teams stay too low in the organisation for too long and forget to involve the management layer in time. "The solving team tends to stay low in the crisis organisation, instead of pulling in management support from above. To say: now we're going to take decisions, this is how we're going to communicate." That gets to the heart of crisis maturity. The winner isn't whoever rolls out a patch fastest, but whoever communicates fastest so the rest can execute.
The moment a crisis team becomes active, the rest of the organisation is at the door. "Everyone wants to help. Everyone has questions. Everyone has an opinion. If you don't bring structure to that, you lose oversight. You have to set clear boundaries and tell people: sit on your hands, otherwise this stops being manageable."
At the same time, he warns against shielding too much. That creates noise and uncertainty. Communication therefore has to be tight and run according to agreement. "We understand you have questions. In an hour we'll come back to you and tell you more. And then you have to actually stick to that."
A crisis calls for fast decisions, while the natural reflex in IT is to want all the facts first. Hans calls that reflex understandable, but dangerous. "In a crisis you don't have information. That's why it comes down to structure and rhythm. A fixed agenda, clear roles and a sequence in which you move from threat to impact to decisions." The point of that is to stop talking endlessly when you should actually be acting.
"Practise without consequences, or learn it live, with consequences"
When organisations say they 'don't have time to practise', Hans replies: "Your next crisis is always closer than you'd like. So either you practise it once without consequences, or you learn it during a real crisis, with consequences."
And it doesn't stop at crisis management. Exercises also expose everyday weaknesses, like information that can't be found or dependencies that aren't clear. "Those are learnings you take into your day-to-day work too." That, according to Hans, is the real business case: practising doesn't just improve your crisis response, it makes your operation more mature as well.