Capgemini is the department’s strategic consulting partner, responsible for running its flagship security education and awareness programme. Realising that a major data breach or other threat resulting into a crisis could quickly erode public trust, we worked with our client to conduct realistic, immersive exercises for its leadership teams, including complex cyber incidents that could have significant impact.
The objective was to ensure that senior leadership understood the value of strong crisis management to handle the inevitable fall out as well as clarifying the appropriate roles and responsibilities. By building relationships across the organisation we were able to strengthen the department’s ability to manage a multi domain security incident and ensure that external and internal communication would be clear and concise. In many high profile cases the public response is frequently as important, if not more so, than the internal management of the incident.
To date we have run two crisis exercises, in collaboration with subject matter experts at the department who provided detail on systems, security, incident management processes, business continuity, legal advice and communication. Each exercise took around 10 weeks to prepare, during which time we designed detailed scenarios comprising multiple security crises and incidents.
The exercises included realistic elements such as simulated BBC news videos, social media feeds, written press and internal emails. The executive teams were tasked with responding to each of these items, testing their ability to deal with the press and take decisions to manage the impact of the incident internally.
Participants were observed by security experts within the department who also captured feedback. We then delivered a detailed report including recommendations and considerations for the evolution of the department’s incident management capability.
The exercises raised the profile of potential multi domain incidents and highlighted the importance of effective and efficient incident response and incident management. As a result there is now essential senior buy in to the security education and awareness programme and the role the senior leadership team has to play After the initial exercise we received recognition and praise, with the CSO calling the exercise, “Brilliant but utterly terrifying.” We were also rated 9 out of 10 based upon value, scenario realism and the overall experience for the second exercise.
Following the success of the programme we are supporting the department to design and deliver pan-Government services around security education and awareness, crisis exercises and security maturity assessments.