Global diversity is having a moment – and rightly so. Over the past year, our differences have become more pronounced than ever before. The pandemic has highlighted divides in wealth, race, health, and more; poverty levels are being discussed with conversations around food bank distribution, age is noted during vaccine access and administration logistics, we’re seeing more appreciation of the language surrounding gender identity, and racism is being tackled head on with movements like Black Lives Matter. Diversity is crucial to the way our world functions; different backgrounds and perspectives bring new ideas, fresh creativity, various interpretations, and a deeper sensitivity. While this is vital in our social circles and workplaces for a richer and less discriminative life experience, it’s also paramount when it comes to preparing for and responding to crises effectively.
Situational awareness: the golden ticket
A key element of being able to manage a crisis proactively (as opposed to being pinballed through it) is building and maintaining effective situational awareness – that’s an understanding of an event (or crisis) given the available facts, your interpretation of them, and your ability to project those into future potential consequences. There will often be gaps in your knowledge, because elements of the unknown are inherent to crises. In cyber, that could mean an unknown source of a breach, a hidden attack vector, or a mystery motive. Crisis responders fill in these gaps intuitively, combining their knowledge of the facts with personal experiences, bias, and instinctive conditioning.
Everyone, for example, knows the tale of Captain Sully landing a plane on the Hudson River. The pilot used information from the crew on the ground and the geographical factors at play, combined with his professional experience and training as a pilot, to land the aircraft safely on the water.
A crisis management team (CMT) will likely be called on to use similar skills during a corporate crisis. Sometimes, a more complete picture is apparent and plenty of time is available, meaning CMTs can respond rationally. But when information and time are limited, greater intuition is required. If your personal experiences are skewed or aligned a certain way, the patterns you create from those – and therefore your intuition – will ultimately be biased too.
Decision making: the long and short of it
Poor diversity within a CMT means you’ll be prone to missing crucial points in a crisis. If everyone in your team comes from the same place, with the same socio-economic upbringing, etc., it’s likely you’ll agree on pressing matters. Bring in more diverse experiences – roles, backgrounds, genders, ethnicities, wealth – and your team will generate unique judgements, fresh thinking, and an assortment of ideas that one voice may not have otherwise recognized.
Former CEO of leading global risk and crisis management consultancy Control Risks, Richard Fenning, makes the point in his 2021 book What On Earth Can Go Wrong? that groups, “particularly those comprised of men gripped by groupthink”, tend to gravitate towards a positive decision and to “suppress their concerns”. When a team lacks diversity, there is “a kind of collective cognitive dissonance”. He continues, “People are party to decisions that they publicly support but privately disagree with”.
A diverse team therefore reduces the threat of social exclusion that groupthink allows, leading to more effective decision making that isn’t composed of Fenning’s mention of unanimously agreed decisions that never get implemented. The passive aggressive world of “agree, comply, evade” is far less likely to occur when your crisis team is diverse.
Communication: the voice of truth
Another important part of crisis response is good communication skills. There are three distinct parameters to consider when it comes to both internal and external strategic crisis communication. The first is accuracy: the information you provide about a crisis needs to be correct. It might be the wrong call to divulge assumed or implied information in the heat of a crisis. Instead, stick to the facts (unless you’ve got a wicked problem on your hands).
Communication should also be timely; information needs to be proffered and received at appropriate times. There’s no use telling hospitals about an influx of patients once they’ve already arrived. Information should, where necessary, be communicated well in advance so precautions and procedures can be implemented with maximum notice. Crisis management thrives on timely communication.
Relevancy is the final parameter of good crisis communication. With external comms, understanding exactly what is appropriate to reveal, and only sharing on a need-to-know basis, is a skill in itself. Captain Sully states how important it is to use the right language during emergencies. The use of simplistic language, such as “brace for impact”, communicates the significance and urgency of the message to the intended audience, while limiting the specifics of the situation. In a time-pressured situation like an aircraft emergency, the message needs to get across fast.
Internally, it’s a different story. Ben Hockman, our resident crisis management expert and former colleague of Fenning, says crisis communication with internal key stakeholders needs to be “much more deliberate”. A good practice principle here is that with a thorough situational awareness comes initial over-communication and over-resourcing of the crisis. “This can only be a good thing”, Hockman asserts. You can then hone in on specific areas once you gain control of a situation. By not over-communicating with your internal stakeholders during a crisis, you run the risk of a seemingly unimportant piece of information turning out to be a vital factor in later decisions. In other words, it’s better to keep your CISO in the loop on every tiny detail, rather than having to explain that one small element you kept quiet about is now the reason your systems are down. “In my experience”, Hockman states, “the worst crisis leaders are the last people to hear about information.” No one wants to inform an aloof, senior, or feared boss about something going wrong. This is where diversity and a culture based on learning rather than blame can make a difference.
It’s critical for CMTs to receive – as well as provide – comms that are accurate, timely, and relevant. Decisions made during a crisis are directly affected when either of these parameters are lacking. The wrong information may change an entire approach to a certain problem. Too late, and you may need to re-prioritize, sending the entire strategic timeline out of whack. Irrelevant info not only wastes time but also may inhibit another decision from being actioned.
Having diversity in a crisis response team allows you to engage all of these elements to your advantage. A varied team of individuals from different backgrounds and roles means your message will address and relate to a wider audience, while aiding in the management of different stakeholders. It also enables the team to empathize better with those on the other end and set the correct tone; understanding the requirements of those different from yourself will enhance your situational awareness when it comes to prioritizing what to communicate and to whom. Former FBI hostage negotiator Chris Voss calls this tactical empathy: understanding your opponent on an emotional level and using that to your advantage. Diversity facilitates a CMT’s tactical empathy, which can only improve your outbound crisis comms strategy.
Leadership: paving the way
Interestingly, females are said to be better crisis leaders than their male counterparts, a theme gaining traction since the outbreak of COVID-19. At the end of 2020, the Harvard Business Review undertook a survey about the most notable competencies that make for successful crisis management. The highest ranked traits included interpersonal skills, such as relationship building, inspiring and motivating others, collaboration, and powerful communication. Interestingly, their findings show that women were rated higher in all of these areas. Similarly, a report by the American Psychology Association found that states with female governors had fewer COVID-19 deaths compared to states with male governors, due in part to female leaders expressing more awareness of followers’ fears, showing concern for wellbeing, and having confidence in their plans.
New Zealand prime minister Jacinda Ardern (one of Forbes’ 100 most powerful women in 2020) has received global praise for her handling of the coronavirus pandemic, after two strict lockdowns eliminated the virus in her country. Similarly, former head of Ohio State Health Department Dr. Amy Acton was consistently praised for her early efforts of halting the virus. Christopher Devine of Dayton University told NBC News that many Ohioans trust Acton because she not only “justifies the policies being implemented” but also “understands how difficult it is for her audience to accept the news that she is delivering and the restrictions that are being imposed on their lives”.
That’s not, however, to say an all-female team would work any better than a team of men; it’s the mixture of individuals – of genders, ethnicities, backgrounds, roles and experiences – that make a knowledgeable, relatable team. One of the best ways to build this diverse team is to move away from traditional hiring practices, but there are many other ways your company can build its diversity.
What can we do?
Organizations are doing more to address diversity issues in the workplace, while some equally progressive schemes are being put in place to enhance diversity in leadership roles across the globe. In the US, the Chicago Freedom School offers an innovative approach to civic engagement and leadership development for people of all backgrounds. Their training, resources and programs aim to study the work of past movements in order to dismantle privilege-based leadership systems. If more businesses took the CFS’s approach and improved diversity, organizations would be much better equipped in a crisis.
Here at Immersive Labs, we are committed to increasing diversity in cybersecurity and maintaining an inclusive workplace culture – so much so that we have a working group in place to address, tackle and promote an inclusive culture within the company and beyond. We also recently undertook our first annual D&I survey, and will be shortly publishing the results. In addition, our Digital Cyber Academies provide free access to our platform for certain individuals to identify new talent based on skills and attributes, not degrees or certifications. We love to shout about our inclusivity and are releasing a series of blogs on what it’s like to work at Immersive Labs when you don't fit into the conventional view of what a cybersecurity pro looks like.
Practice makes perfect
Diversity needs to funnel down into your crisis teams to be able to handle incidents as effectively as possible. Once you’ve established your diverse CMT, that team needs to practice its crisis response skills. Immersive Labs’ Crisis Simulator is an ideal tool to stress-test these teams in realistic, pressurized scenarios designed to challenge your crisis response. Given the nature of the pandemic, the multi-role aspect of our dynamic scenarios is an especially useful tool for geographically diverse teams.
As physical security and cyber crises converge, Immersive Labs will develop scenarios that enable crisis management teams and organizations as a whole to make better decisions, communicate more effectively, and ultimately respond at a much higher standard. Don’t let a lack of diversity be your vulnerability. Book a demo and start preparing your teams today.
24 February 2021
Latest Blog posts
Wicked problems: navigating crises when there’s no clear path
1 April 2021
Play along with our new crisis scenario – Insider Threat: Pharma Drama!
31 March 2021
The People of InfoSec on the People of InfoSec: The Thought Leader’s View
31 March 2021
SaltStack: further injection vulnerabilities
24 March 2021
Immersive Labs Chooses Global Channel-First Strategy With 50 New Partners and Transparent Structure
18 March 2021
The View from the CISO’s Chair
18 March 2021