3212: From Log4J to MOVEit: What Cyber Crises Teach Us About Leadership

[00:00:03] If you're a business leader, what would happen if a cyber crisis hit your organisation? How would your leaders make high-stakes decisions when every second matters and the consequence of a misstep could be catastrophic? Well, in today's digital world, cyber incidents are no longer a question of if, but when. Whether it be the Log4J to a huge data breach. We've all seen in our news feeds that these incidents can ripple across every industry.

[00:00:33] Exposing vulnerabilities that organisations didn't even know that they had. And then they have obligations to NIST-2, GDPR and here in the UK the upcoming Cyber Resilience Bill. So the real challenge isn't just the technical response. It's about leadership under pressure. How do you react to all those big scary news headlines as they're breaking? How do you manage stakeholder expectations?

[00:00:59] How do you make strategic decisions when the margin for error is razor thin? So, how do leaders inspire confidence, maintain trust and build resilience that lasts beyond the crisis? Well, joining me today is Dan Potter. He's the Senior Director of Operational Resilience at a company called Immersive. And he's also an expert in helping organisations prepare for and navigate those nasty cyber incidents when they occur.

[00:01:29] One of the reasons I'm excited to get him on the podcast is his belief that effective management comes down to preparation, structure and continuous learning. So together, we will explore how leaders can learn from major cyber incidents, the key components for a decision-making framework and the essential steps for managing a crisis before, during and after that it strikes.

[00:01:54] So, how prepared is your organisation for the next inevitable cyber incident? And more importantly, how ready are your leaders to steer the ship when that storm eventually hits? Well, let's get Dan Potter onto the podcast to discuss all this and much more. So a big thank you for joining me on the podcast today. For everybody hearing you for the first time, can you just tell them a little about who you are and what you do?

[00:02:23] Yeah, Neil. Thank you. Good to be here. So my name is Dan Potter. I am a Senior Director of Cyber Drills at Immersive. And my job is really to help organisations run cyber drills, so technical exercises, free to executive exercises, so that they can help prove and prepare themselves for cyber disruption.

[00:02:42] I've got a lot of background, so I've got a lot of background, so I've got a lot of background. Well, thank you for joining me today. And it's those exercises you mentioned and preparing enterprises for cyber disruption is one of the reasons I invited you on the podcast today.

[00:03:04] I don't want to start on a downer here, but cyber crisis like MoveIt or Log4j, they've all had significant impacts on organisations around the world. So my first question to you has got to be, what key lessons can business leaders take from these famous incidents that we've seen dominating our news feeds, especially when it comes to managing future cyber crisis? Anything that you would share around that?

[00:03:31] Yeah, and they're great examples. And it's a good point to start off with. And it sounds obvious, but it's always if we want to be ready, we have to keep in mind leadership that it's a question of when, not if. You know, those that move it, Log4j, they're kind of supply chain events where the cascading impact of one of your suppliers could have really detrimental impact on your own business. Yes, just one example. And so the sort of things I would always advise leadership in any organisation.

[00:04:00] It's kind of obvious. Invest in the basics, right? Understanding your IT estate and your business processes. How many people struggle to understand where MoveIt or Log4j sat within their ecosystem, supply chain systems to, you know, how long did it take to work that out? But also, you know, cyber crisis, think about the interconnected way any business operates. So, you know, problem over here can have cascading impacts might not be directly cyber, but, you know, operational disruption over there for your business.

[00:04:28] How do you know about that on the basics, patching all of that good stuff, that discipline, having asset inventories up to date, but also, of course, playbooks and procedures. So understanding who will do what and when, what's the escalation path.

[00:04:43] One of the things I think those examples show is, you know, do leaders trust the process that their teams put in place and the playbooks and procedures, or do they react to something they see on the news and then start jumping in and intervening and asking for updates from their security operations team or technical teams, leadership teams? How does that either help or hinder? Because I've seen it in both ways, you know, people not following the process, inserting themselves into something because they want information because they're reacting to something on the news cycle.

[00:05:14] And that can be helpful or, or not, as may be the case. And then I think the final thing that all of those incidents say, focusing on the basics, understanding your estate, having good process in place and on escalation paths is never lose sight. If we're going to be ready, you know, when, not if we've got to think about the collective impact, particularly of those kinds of examples you gave me, even look for Jay.

[00:05:39] They impacted multiple organizations and how you respond technically is really important. How do you mitigate, eradicate, contain the disruption, but also how do you communicate externally? Because then we can probably come onto this kind of the notion of the court of public opinion. You're going to be judged on your act, your actions, even if they are technically brilliant in the way you respond. The way you externally communicate will certainly be all over social media very quickly. And that's something you need to keep in mind.

[00:06:08] And I think that is such an important point because having that emotional reaction to scary news headlines around threats and attacks and being judged on your next move, those things alone mean that decision making under pressure is a critical skill during any cyber attack. And I think it's something we don't talk about enough. So what would you say are the essential components of a well-structured decision making framework that leaders should have in place so they don't make those rash emotional decisions?

[00:06:38] Yeah. And I think that's such a key point that we all instinctively in a crisis sort of fall into the trap of reacting on instinct and gut, you know, this is what I feel to do. And then we're not following that decision making framework that we need to have.

[00:06:52] And I think, and I've seen from my time in financial services and working with organization today, it's imperative that you have confidence in the various teams that are involved in your decision making framework and recognizing at what layers of your organization, the certain types of decision need to be made.

[00:07:10] Because if you, if you have confidence in your security operations team to quickly identify this or your public relations team to communicate X, Y, and Z, whatever that needs to be, you can build trust and you can build trust in that decision making framework. All too often that trust breaks down. It's just not there. Right. And I'm certainly guilty of this in the past. I've created huge playbooks and procedures, you know, brilliant for compliance when the moment of crisis comes along, not necessarily followed.

[00:07:39] And I think that was down to a lack of confidence or understanding of the process part one, but also a lack of trust in capabilities. And that's what we've got to really recognize. I think the other thing, and whilst I'll always place great emphasis on playbooks, procedures, you can't not have them. Got to recognize every incident is going to be different in any organization. You've got lots of smart people who all bring different perspectives, who are all well-intended.

[00:08:09] They want to do what's right for your organization. They all need to come together very quickly and make collective decisions. And they'll all have that different perspective. It can be really powerful and really kind of amazing in the moment of a crisis to see those silos in a business break down very quickly, the silos in any organization. Because we're on mission. We understand what we need to do.

[00:08:33] So we're therefore taking, you know, good decisions or bad decisions, but we're following some decision-making framework. And just having that framework to guide that decision-making and making sure, to the earlier point, right, leaders at the C3 aren't inserting themselves into technical decisions. Technical leaders aren't trying to solve external regulatory compliance communication strategies.

[00:08:54] Pay to your strengths, but break down those silos in the process so that you have the kind of a real team spirit across those different organizations. But I think really key, and I've seen this in real incidents many times, psychological safety. Because you will make, even if you've got the best frameworks and the best technical capabilities and the best leadership decision-making framework in place, you know, we will, with hindsight, have made mistakes. We could have done things better.

[00:09:23] And obviously, in a cyber crisis, you know, we can get really blinkered really quickly. And we need to be able to call each other out and say, hey, Neil, are you sure that's the right decision? Like, you're sounding really confident, but are you sure that you've considered all the possible things? So we need to be able to not blame people if we make wrong decisions, but also at that moment of crisis in the decision-making framework, have confidence to be able to call you out. Not in an aggressive kind of blame game culture, but say, how sure are we that this is the right thing to do?

[00:09:53] But without spending, you know, hours and hours in inertia, not making a decision. And that comes back to what's the framework we're going to make for decisions? And do we trust each other? And do we have confidence in their respective knowledge, skills and judgment? For me, that's the key thing. It's that framework, trust and confidence between different teams, recognizing where people play to their strengths and what roles they need to adhere to and follow. There's just so many great points there. Pure gold for me.

[00:10:22] And I'd love to try and bring to life some of what you said there. And maybe think about a real-world scenario. Let's imagine a business leader listening. They've just had a cyber crisis. It's all over the news. They are impacted. Every decision they make could have far-reaching consequences. What should that leader prioritize in those opening hours of the crisis to minimize damage and maintain trust from the outset? I appreciate every attack or crisis is different, but where should they begin?

[00:10:52] Yeah, it's a great question, right? And I don't envy having seen leaders respond to various incidents, various cyber crises. It's difficult. And I think let's recognize that. This is not ever going to be easy. In fact, the more you prepare, the better and easier it will be. But it's never going to be this simple thing. But in those first few hours, I think it's really important to recognize that you could get blinkered on a particular issue very quickly, especially in the first stages of a cyber attack. You're going to get lots of technical information.

[00:11:21] You're going to have lots of unknowns. Unknowns. So figuring out the unknown knowns at this point, but not getting blinkered on a particular, this was the entry path or here's, you know, they've made lateral movement on XYZ server to XYZ box or whatever it may be that this technical team are giving you. It's kind of, yes, understand that, but take a step back and understand the bigger picture and look at the bigger picture at that leadership level.

[00:11:49] Like don't get fixated on one particular problem because that is the immediate thing in front of you, but it's probably going to lead to 10 other problems. And you need to be elevating your decision making and empowering those people who are best placed to make that immediate decision about that particular technical aspect, for example, or the communication to customers. I think the other thing in those first few minutes and hours of a cyber incident is it's very quick.

[00:12:15] You know, the energy's going, everyone's kind of, you know, fearful. They're engaged. They're all different as people get brought into a cyber crisis. They're all coming in obviously with different perspectives, but they're coming in with different understanding of the situation. So making sure that you level set what the situation is so that everyone in the room making decisions understands as best they can what is happening. But then you are very clear on assigning out those actions.

[00:12:44] And the other key thing about that is you might get cyber crisis response. You might just need a core group of very senior people in the room to make the overall strategic decisions for your firm. And there's all sorts of good reasons for that, but you need to be able to communicate out. So all too often, you know, you can think about the crisis team getting together, making a decision, feeling that they've assigned that action. But actually nothing's left that physical or virtual room. Well, they're not communicating out in a way that makes sense to the rest of the organization.

[00:13:14] So you could become quite isolated without realizing it very quickly in that initial stage. So making sure you've got a clear way of external, not externally communicating outside your organization, but communicating outside that bubble of the immediate core crisis leadership team. I think the other thing in the first few stages of an incident, it's always important is sort of building on that point about not getting blinkered on an immediate issue,

[00:13:41] thinking about the strategic picture, particularly with say a cyber incident. Let's not forget we're being attacked by individuals. So unlike a natural disaster, which is awful, of course, and far reaching implications, but relatively contained in a geographical area, you know, they don't natural disasters, mother nature and all of that good or terrible stuff is the way to think about it. But when you're being attacked by a cyber attack, you know, there's attackers on the end.

[00:14:07] There are people with distinct motivations. What's their end goal? Is it simply criminal activity and they want to make some money out of you? Is it an activist group with a political motivation? Is it a nation state? I think that's important to not lose sight of because that might inform your response. And a final recommendation, that early stage.

[00:14:28] I don't think firms often engage sort of the wider community quickly enough in those early stages. Some firms do this really well. But think about, you know, threat intelligence sharing organizations, the informal and formal networks, you know, the cyber community.

[00:14:48] We're really good at collaboration and, you know, being able to speak to, if you're a CISO, peers at similar sized organizations or through the formal government or public sector, you know, public or private sector. Information sharing networks to understand what's happening and to get as much intel as possible is really vital. But you need to know who those networks are, where they exist so you can make most use of it. And that's key.

[00:15:17] Who are your key people in the room? I think. And of course, if it's a large scale data breach, for example, the boardroom will be immediately nervous and sweating because of the potential fines and indeed commitments to things like GDPR, NIST2, the upcoming cyber resilience bill here in the UK. That could raise ethical dilemmas around whether to disclose breaches immediately or how much information to share.

[00:15:41] So how should leaders also navigate these challenges while balancing transparency and security and so many other different aspects? It's an incredibly stressful time, isn't it? But what should they be doing there? It's definitely stressful. And you're right. Like, it's really important to understand all those different obligations you have and to which stakeholders and understanding, like, who in your team, in your crisis leadership team is responsible for communicating with which agency, which stakeholder set at what point.

[00:16:12] So to your question, though, like, this is a difficult dilemma. You know, every situation, of course, is different and each organization will have its own risk appetite. But I will come back to this kind of court of public opinion. You will be judged on your response. You will see news outlets commenting. And we saw this with high profile incidents last year. You know, company A made really great statements. The CEO was very forward footed in how they responded. Other organizations went.

[00:16:41] You need to think not only about how you're technically responding to the incident, but how the media, how the wider public might react and judge your response. And that leads to a conversation of, well, what should we disclose where and when? And what's that stakeholder map of communications we need to give? I see lots of times organizations, you know, they know that they've got to notify for GDPR, you know, within X period of times we've had a breach or to the PRA or the FCA financial services.

[00:17:11] I'm definitely of a view of, yes, you'll have the formal notification. And that brings with it lots of detailed reporting that you need to do. And it's time consuming in itself. But I would always say regulators, they understand. They understand the situation you're in. So the sooner you pick up the phone and even just give them a heads up, hey, we are responding to this. We are looking into it. We don't have all the information now. We are preparing our formal submission.

[00:17:38] That kind of heads up call is so much, it's of so much value because you're giving, they understand. Like this is not easy and that you've got to balance investigating the situation and understanding the impact on your organization before you can fully submit the detail that they would want. But giving them that heads up and it's the same with the board is absolutely important.

[00:18:03] I think leaders listening to this conversation, you've got to think about the different perspectives that your legal team, general counsel will have versus someone from your public relations media team versus someone from your customer client facing side of the organization. And again, this is why preparation is key. Like what's our risk appetite? What's our response? What channels are we going to use to respond? Are we going to respond on social media? Are we going to have a CEO in front of camera?

[00:18:32] Are we just going to release a press statement? Are we being strategically silent? All of those are valid, but you need to sort of work through them in advance. And that comes back to that decision making framework. And I think resilience is key in recovering from any cyber crisis and poor management or poor response to an attack could damage a reputation for up to five years from that court of public opinion that you mentioned there.

[00:18:57] So what steps can organizations take after an incident to not only recover, but also strengthen their defenses and leadership strategies for any potential potential future threats? Yeah, great question. I'm going to come back to resilience, which for me is all about being able to bounce back from a change in circumstance or a shock.

[00:19:17] And so before I sort of get into that question, which is a great one, I also want to just sort of tail on the point here because I think it's linked to, you know, if you think of a, you're responding to a crisis situation, leadership can get very focused on we must notify the regulators. We must notify X, Y, Z, the court of public opinion, really key.

[00:19:35] I think there's real value in having someone in your crisis leadership team who understands your business and they should be doing this in advance, which comes on to a resilience question and who at the time of the incident occurring can be in the room, not there to respond formally to regulators or to your customers, but to almost be put into a role. We'll say, you're the client advocate.

[00:19:58] You're here in the room representing our business, but we want you to wear the hat of our customers or external stakeholders, whatever they may be, depending on your organizational fit, purely to be there to say, hey, we're making these decisions. We're thinking this is the right thing to do, but actually what would help our clients, customers, external stakeholders most? So having that advocate is really key.

[00:20:19] And that coming onto your question about resilience and recovering, the more that you invest in that kind of bounce back ability, what do I mean by that? You know, the more that you have people prepared to operate with unknown situations, limited data, you've got the process in place, you've got the technology, but you've also got the people who have the trust to work together.

[00:20:41] However, the better you are at being able to advocate the best response for your external stakeholders, but also maintain your business and bounce back. And, you know, coming onto the resilience question in this, absorb the shock, be able to bounce back, cyber being the most severe yet most plausible type of disruption we can face.

[00:21:02] I still think lots of businesses need to break down silos that probably exist between the cyber team, the business continuity team, the third party functions, but also really with the business. What do I mean by that? I think CISOs, cyber teams, you are specialists. We are specialists in a particular domain. We're never experts in widget manufacturing or releasing payments or accounting, whatever our business organization does.

[00:21:31] We're not experts in the services goods that they might deliver, but the business are. And so we need to make cyber response, cyber resilience a business imperative. And we need to understand what really matters to our business, because what we think matters may not actually be true. And you don't want to find that out during a cyber incident and then the long sort of tale of the recovery.

[00:21:53] So sort of I would this is a long winded answer to your question, but coming into resilience, like focusing on working with your business. They want to understand the risks, educate them on the cyber threat landscape, of course, but then in turn ask them to say what really what systems, what processes, what suppliers are really critical to their business? What kind of harm or impact could be caused to your organization's customers, external stakeholders?

[00:22:21] At what point if you can't deliver a certain thing so that you have this understanding of what is absolutely vital to protect and where you need to invest in your resilience capability, but also bring the business with you. And I don't always see enough people bringing the business with them. I still see disconnects between the business continuity function has one way of looking at the business, the cyber team and other risk functions.

[00:22:47] And if you if you're not all understanding the common imperative for your organization, you're not you're not going to you're setting yourself up for failure. I suspect for many people listening, well, they've all had that dreaded annual compliance training where they sit at their desk and just hit next for 30 minutes. And it doesn't work. Something that's always baffled me. And one of the things that stood up for me about what you're doing is immersive focuses on building cyber resilience through continuous learning.

[00:23:15] So I've got to ask, I mean, how important do you think that ongoing training and simulation for leadership teams and how important is that? And how does it improve decision making during these real world incidents? Because it sounds great, but I'm just curious on the real impact that it has as well. What have you seen there? For me, it all comes back to that that trust and confidence and capability, right? If you've got smart people and you can prove it and you understand where there's gaps. So let's take your security operations team.

[00:23:44] Why would you send them on one training course a year in a threat landscape that's constantly evolving, constantly changing? Why would you do a theory based tabletop exercise? Say, how would we respond in this situation?

[00:23:57] You've got to get them hands on keyboard, running through exercises on a frequent cadence to build that muscle memory so that you know, if you're in leadership, that your security operations team have the right skills and judgment in place to ideally prevent the situation in the first place. But of course, we know it's when, not if, but when that bad cyber day occurs, they're going to take with the best intent.

[00:24:26] They've got the best skills possible. I can prove it to my regulators and other stakeholders because we've done regular exercising, not just one four hour thing a year and tick box kind of compliance training. We've gone through sort of hands on keyboard demonstration of skills and we've identified where they've got strengths and we've identified where they've got weaknesses. And then we've done a program of upskilling, this continuous upskilling at that technical level, security operations team, right? Feed to the executives, right?

[00:24:54] I think I still see many organizations, their idea of exercising the executive leadership is one exercise once a year or five hours. It's the same people every year. They go through the same exercise scenario, different flavors of it over and over again. These people change, you know, you've got to, in reality, these people are all over the place.

[00:25:16] And on the day of the cyber incident and those first few hours we were talking about earlier, that core group who went through your one exercise a year almost certainly won't be the first responders.

[00:25:26] So you need to get their deputies involved and you need to think about ways of engaging across your organization so that you've got that resilience at multiple layers in terms of decision making and people who are comfortable to step up to the plate if they need to on making decisions to approve a containment action or on approving external communications to the regulator about a GDPR breach or whatever it may be. And all too often, that sort of tick box training, it's the same scenario over and over again, same lessons learned every year.

[00:25:56] It's very subjective because we're just measuring someone's discussion and, you know, picking on you, Neil, you tell me you can reverse engineer this malware really quickly and solve it in five minutes. Great. Prove it to me now. And that's what I need. We need the proof because that then builds the trust and confidence that makes us more effective at decision making in a crisis.

[00:26:17] And we started our conversation today talking about the importance of preparation, how that's half the battle and the practical steps that companies can take before a crisis occurs. But I think we've covered so much here. So most people listening should have a good idea on how to be prepared. But now I'm going to ask you to look into my virtual crystal ball and scare everyone here. What emerging cyber threats do you think pose the greatest challenges for leaders?

[00:26:42] And how can organizations evolve their crisis management strategies to stay ahead for when those inevitable threats become a reality? Yeah, no, great one. So crystal ball time. We can definitely talk about AI and how that will probably be used, or if it already is, to use ever more sophisticated phishing campaigns that act as the entry point into your organization. And ransomware and supply chain compromise. I still think they're the biggest things.

[00:27:12] And it goes back to that hygiene factor, of course, that we need to get it really down to a T. How are we going to react and respond, whatever the entry point into the organization? And yes, AI helps us as defenders, but it also helps the bad guys for want of a better term, the threat actors. But I think we can get over fixated on that. What we have to do is make sure that our teams are constantly ready. It's hard. People have very busy day jobs.

[00:27:41] It can be relentless. So how do we make sure that we're constantly prepared with different, you know, regardless of the cause of the disruption? How do we react and respond? I mean, I think, Neil, we could get into geopolitical situation in the world. That's a whole other podcast for another day. But if anything, you know, we need to be ready to adjust to very quickly changing circumstances.

[00:28:07] And my final thing that if we look at any cyber incident, you know, call it the black swan, whatever it would be, we need to be able to respond as an organization to multiple shocks at the same time. So one cyber attacker gets in, there might be other cyber attackers or, you know, there's some other disruption in the world. A natural disaster occurs at the same time. And it's just the way the world sort of sometimes happens as you get certain multiple incidents at the same time.

[00:28:34] And you've got limited resource and you've got conflicting priorities. So my message here would be, yes, worry about AI, worry about the basics, ransomware, supply chain, insider threat, geopolitical situation of exchanging. But it's about, have I got an organization that has the agility to manage and respond to multiple different shocks simultaneously? And they could be caused by an attack against my own organization or across my supply chain, a wider ecosystem.

[00:29:03] And that creates ripple effects, cascading impacts on us. So just need to think about all of those different challenges would be my advice for the year ahead and beyond. Well, we've covered so much today and I cannot thank you enough for sharing your invaluable insights, but I'm going to be a little greedy here. I'm going to ask you to share one final gift with everyone listening. And that is a book that you'd recommend that we can add to our Amazon wishlist.

[00:29:28] It can be about anything at all, but if there's something you'd like others to check out, I'll add it to that list. But what would you add and why? So we're going with a random one here. This Thing of Darkness by Harry Thompson. It's a great book about Captain Robert Fitzroy. It's got Darwin in it and it's all a true story. I live here in Walthamstow. Darwin, part of it features around here. So I would recommend that book. It's an enjoyable novel where I certainly found it.

[00:29:56] So it's got nothing to do with cybersecurity as well. I will add. I love it. Well, I will get that added to the Amazon wishlist. And for people listening that have more than a few questions or they're just inspired by what you've talked about and like to find out more, where would you like to point everyone listening? Yeah, absolutely. ImmersiveLabs.com would be where to go. We have a website and I'm happy to share more information.

[00:30:22] And they're about how we help organizations prove and improve their cyber readiness and make sure that they are prepared for the inevitable disruption. Well, there's so many big takeaways from our conversation today from what we can learn from previous major cases like the Log4j example,

[00:30:41] the key components of a well-structured design making framework and somewhat of a checklist for effective management both before, during and even after a cyber crisis and having time to leave us with a great book too. But more than anything, just thank you for joining me today. Thanks again. Thank you. I think my conversation with Dan today really brought home one undeniable truth. Cyber incidents will happen.

[00:31:07] But how your leaders respond, that will define how your organization recovers. And as Dan highlighted today, effective crisis management is about much more than technical fixes. It's about strategic thinking, communication and trust. And we learned that successful leaders in these moments will rely on well-structured decision-making frameworks rather than an emotional response.

[00:31:37] And an assurance that roles and responsibilities are immediately clear so teams can collaborate seamlessly. Ultimately, it's not enough to just trust in technical fixes. Leaders need balance, regulatory obligations, stakeholder communications, and the strategic perspective of the broader business impact. So, as we wrap up today, I'll leave you with this.

[00:32:02] Is your organization prepared, not just technically, but operationally and culturally for the next cyber crisis? How well would your leaders perform when that pressure hits? I'd love to hear your thoughts on this. You've heard from me. You've heard from Dan. What does your cyber resilience look like to you? Let's keep this conversation going. Please email me, techblogwriter at outlook.com. Get me on LinkedIn, Instagram, and X at Neil C. Hughes.

[00:32:29] There are also 3,200 plus interviews over on my website, techblogwriter.co.uk. Let me know your thoughts. So today was heavily focused on cyber resilience. Tomorrow is a completely different topic. And I cordially invite you to join me again. But thank you for listening as always. And I will speak with you all tomorrow morning. Bye for now.