According to Martin Koopmans, cyber crisis readiness is not about detailed playbooks or theoretical scenarios, but about something far more practical: knowing what to do when things go wrong and having genuinely practised it. “No two crises are the same. But if you practise, you at least know who is responsible for what, how the process should broadly unfold, and which plan helps guide you.”
That vision is deeply rooted in his career. Martin started in digital investigations with the police, where from the early rise of internet crime onwards he worked on cybercrime and digital traces in traditional criminal investigations. He later worked within the national unit and developed training materials for European police services. After that, he moved to ING, where he helped set up the Cyber Defense Center and later also worked on red teaming, including TIBER under the Dutch central bank, DNB. Via Waternet, he eventually joined Noordwest Ziekenhuisgroep, where he is now CISO. Alongside his role as CISO, Koopmans is also active as a trainer for CCRC. There, he mainly focuses on exercises that closely reflect the reality of an organisation. In his view, a good scenario should align with the type of organisation and with the existing processes for incident management, business continuity, and crisis management.
Cyber crisis readiness does not start on paper
According to Martin, the value of such an exercise lies not only in testing knowledge, but above all in exposing behaviour, decision-making, and ambiguities. And in practice, these often surface more quickly than organisations expect. One common problem is that it is not clear where incident management ends and crisis management begins. “What I often see is that organisations are not clear on this: what is risk management, what is business continuity management, what is incident management, and when do you escalate to a crisis? That lack of clarity can cause organisations to escalate too quickly or, on the contrary, too late.”
Role allocation also often proves less clear in exercises than it appears on paper. For example, Koopmans regularly sees that communications is not automatically part of the crisis management team. He finds that striking, because in his view communications is crucial for maintaining control of the narrative externally.
“If you do not communicate properly, the outside world will create its own story. And that is very difficult for organisations to correct later.”
This also touches on another pitfall: organisations trying to describe crisis management in too much detail. According to Martin, that may create a sense of control, but in practice it often works against them. “Sometimes I see organisations with a crisis document running to dozens of pages. No one is going to read that during a crisis.” What works better is a compact, practical plan with clear roles, concrete guidance, and an approach that leaves enough room to adapt when pressure rises. Because no matter how well you prepare, Martin says, “There are always surprises coming from the left.” In other words, something will always happen that you did not fully anticipate beforehand.
A learning organisation becomes truly resilient
That is exactly why he sees practising as part of a broader learning cycle. Organisations only become truly more resilient when they feed the lessons from exercises back into their processes and plans, and then test them again. In his view, this is no different from sectors where practising is already completely normal.
“The fire service and aviation are prime examples of learning organisations that train emergency situations with realistic scenarios so they can remain calm under intense pressure.”
That discipline is still missing in many organisations, even though repetition is exactly what makes the difference between a plan on paper and a team that can act under pressure. That does not mean practising always has to be large-scale or heavy. According to Koopmans, you can also learn a great deal by using current incidents as the starting point for a discussion. “Suppose something similar happened at your organisation tomorrow. What would you do? Who would need to be involved? What choices would you make? Those kinds of sessions also help keep crisis management alive.”
In healthcare, continuity directly affects people
In his current work in healthcare, he also sees how important it is to connect crisis management to business continuity. In his view, the principles of crisis management are similar in every sector, but the impact of disruption differs greatly. In a hospital, some processes can be postponed, but others absolutely cannot. An outpatient appointment can take place later, but intensive care or a complex delivery cannot. That is why it must be clear in advance which processes must remain operational at a minimum level. “Before a crisis happens, we want to have measures in place that safeguard continuity at a pre-agreed minimum level.”
This touches on a point that he believes is still too often overlooked: if incident management and business continuity are properly organised, a disruption does not automatically have to grow into a crisis. He uses the metaphor of a spare tyre. As long as you have one and know how to use it, you can keep going. It is only when that spare is missing that a real crisis situation arises.
“If incident management and business continuity management are in good order, you need to escalate to crisis management far less often.”
If there is one framework that Martin believes helps organisations maintain control under pressure, it is situational awareness, judgement, and decision-making. First establish what is actually happening, then determine what it means, and only then decide what needs to be done. “Take a moment: what is happening now, what does that mean, and what do we decide based on that? That structure is exactly what prevents organisations, in the chaos of the moment, from jumping into action mode too quickly without a shared understanding.”
What leaders can start doing tomorrow
His main advice to leaders is clear: first identify where the greatest impact will be if things go wrong. Which processes are critical? What absolutely cannot fail? And what would that mean for customers, citizens, patients, or partners in the chain? “If you do not know where the greatest impact lies, you cannot protect it either.”
Then comes the step that, in his view, is still too often skipped: practising. Because cyber crisis readiness does not begin with a document, but with an organisation’s ability to work together under pressure, make decisions, and stay the course.