Leading through a cyberattack

Letter to leaders

A conversation this week helped me reflect on the high calibre of leadership in Hackney Council that has been key to our work to recover from our cyberattack. At the time I took parts of this for granted because I’d not seen anything different. This letter is to leaders of public sector organisations that have experienced (or will experience*) a similar situation to ours.

* Sadly, trends in cyber crime suggest that there will be many more to come.

Dear Chief, 

You aren’t alone, but you’re feeling lonely right now. And you are also probably feeling confused and a bit frightened. You knew technology was important but didn’t really know that you also ran a technology organisation. And right now you have very little. Your staff can only see the things they can’t do. 

And you’re probably feeling angry. At the criminals who’ve attacked you. Because of the agenda you can’t now deliver. And probably more than a little bit at your IT. You were never entirely sure you were ‘getting it right’ with technology. There was always a gap between what suppliers told you, what you read about and what you saw day to day. And that gap is now a chasm. 

But enough about you. What about the job you need to do now? Firstly, do no harm. You are desperate to get back to business as usual. But there’s something more important. You must make sure you don’t have another cyberattack. They aren’t like house fires. If you rush recovery, you might just introduce a new threat. So whilst you’re desperate to recover, you need to give your team the time to be thorough, no matter how frustrating that will feel. 

Whilst you’d love to turn the clock back, the job of recovery isn’t to return to what you had. You now need to lead transformation of your organisation’s technology and data, and its relationship to it. You need to take your senior leaders through some core concepts that they might feel isn’t their job to understand. Whether it’s their role as information asset owners (and how that relates to protect the people you serve who have been affected by the attack), why cloud computing is an essential part of your recovery, or why your strategic imperative is managing data, not recovering legacy systems. 

Normally a change management cycle (or just grief cycle in this instance) gives time to work through awareness and then desire, but you’ve got to accelerate through that at a speed you and your organisation are unlikely to have seen before. You are going to need to make strategic decisions quickly and make sure that your decision making processes support that. For example, your IT team shouldn’t have to invest time and and capital justifying why now isn’t the time for a return to legacy software and why the greater security and agility offered by cloud is where they should focus. 

You’ll want answers to questions about why we’re here. You’ll be frustrated to learn about how complicated the recovery work will be and the lack of definitive answers. But asking the questions more frequently or more aggressively won’t change the position. It just incentivises your team to divert their energies from the work that is most essential to getting your services back up and running. 

Has your team got the skills to recover? Bringing in outsiders to run the strategy might be tempting but could easily become a significant impediment to recovery. Your team alone understands the architecture of what was attacked. They don’t need to spend time explaining that to outsiders. They may need specialist help – in digital forensics, in building cloud infrastructure or recovering databases – but let them describe what they need. 

But that doesn’t mean your team can run all the things. You’ll want to tell the public what does and doesn’t work, and when it will return. But the attackers are watching you, so you must take care to not help them hurt you more. And the same IT team tasked with recovery will be getting a huge range of demands from colleagues, regulators, politicians, other organisations and salesmen. The team are now your most valuable assets – give them the protection and space to do their best possible work. 

You also need a good communicator who can understand enough of the detail, but who can translate the recovery path, uncertainties and all, to a range of different audiences in language that they will understand. Your service users nd partner organisations will be looking for information you probably don’t have, and you’ll need to find ways to inform and reassure, without confusing. The task will become more complex as you move away from the ‘day by day’ accounts of the initial work towards the slower and more frustrating long tail of recovery initiatives.

You’ll be desperate to know that the team is working as hard as they can. But you won’t recover from your cyberattack this week or even next month. You’ll need them working effectively at a sustainable pace – quite possibly into next year. Stand them down that first weekend. And the next. The time you ‘lose’ will be made up in time you’ll gain in reduced staff absences and avoiding exhausted people making mistakes. 

Your teams will also be grappling with as many emotions as you are experiencing yourself, and they’ll be looking to you to keep them calm, focused and supported. Recognise this and design the mental health and wellbeing support they need. And remember that you’ll need a break, too. The teams will follow your lead and will echo the way that you respond.

The team is also running more major projects simultaneously than any organisation would ever rationally take on. They are rebuilding a huge number of systems and dealing with critical needs across your organisation. Your governance is ill-equipped for this. Firstly, work with your support services so that they work with your IT team. You want to reduce the amount of recovery time spent justifying business cases or signing off contracts. But it also needs coordination across the organisation. Your IT team shouldn’t have to invent that governance. But nor must they be subject to a governance framework that measures the effectiveness of delivering against a plan, in linear fashion. A genuine collaboration around risk, user needs and change management will build a capability in your organisation that you’ll benefit from for years to come. 

This isn’t the moment for everyone to point at IT, saying ‘solve this problem’. You need to harness the passion and collective energies of staff that would otherwise be under-employed to develop the right solutions to keep things running while recovery work is taking place. But you had a corporate IT function for good reason – now is also not the time for a free-for-all. Make sure your teams working on interim solutions are being thoughtful about how data is captured and managed – that diligence now will pay back many times over when you are recovering your longer term systems and will help protect you from potential new threats. 

Your team is likely feeling considerable risk aversion. Yet as you embark on your largest concerted investment in IT for a generation, you must ask: ‘do we want to spend this money to go back to where we were, or to leap forward?’. ‘We use that software because that’s what they use in the other place’ must never again be a credible argument in your selection of IT. If you aren’t leading a conversation about modern technology with your organisation, your investment will be wasted. You’ll have faced an existential crisis and blinked. 

If you can do all of this, you might find yourself the leader of an organisation equipped for the technology age and have stepped forward many years in your strategic capabilities to meet the future challenges you were already focusing on. The opportunities for your organisation, the people it serves and your staff can become a competitive advantage. 

And if you’d like a chat, just get in touch. 

Best

Matthew Cain