“What exactly do you DO here?” a CISO asked me 48 hours into a crisis

Fair question. I’d been in every meeting, written half the comms, coordinated with external teams, and somehow still hadn’t ‘fixed’ anything within his area of responsibility.

After managing dozens of crises since 2019, I’ve learned the crisis lead role is invisible when it works—and catastrophic when it doesn’t.

But, then again, what exactly do I do here?

Here’s what that role actually entails, depending on the victim organization’s maturity in crisis-management capabilities.

Coordination and governance

• Ensure cross-functional coordination between all stakeholders (CIO, CISO, business units, executive management, external service providers)

• Ensure the proper functioning of crisis cells (decision-making and technical)

• Verify that crisis cells are effectively staffed and operational, and raise alerts in case of failure

• Define (if not already in place) and enforce the cadence of crisis meetings (frequency, duration, attendees)

• Maintain alignment between the decision-making cell and the technical cell throughout the crisis

Advisory role and interface with executive management

• Provide executives with the information required to make informed decisions

• Clarify technical, legal, and communication-related risks

• Help translate technical issues into business language for the executive committee

• Advise management on strategic trade-offs (restart priorities, resource allocation)

• Frame discussions around a potential ransom payment (in ransomware incidents) using factual, objective elements

• Contribute to drafting (or, in many cases, directly writing) internal and external communications

Operational sequencing and steering

• Contribute, when requested, to defining the sequencing of actions based on how the situation evolves

• Ensure consistency between isolation and remediation actions

• Validate prerequisites for a phased restart of information systems (initial compromise date, available indicators)

• Track the progress of incident response and forensic investigation teams

• Coordinate the transition from emergency response to reconstruction

Documentation and traceability

• Ensure proper logging and incident diaries are maintained within each crisis cell

• Advise teams on traceability of checks performed on systems prior to restart

Coordination with external parties

• Coordinate interactions with external incident response teams (CERT/CSIRT)

• Organize technical communications with interconnected customers and partners

• Support the industrialization of reassurance processes toward third parties (technical commitments, evidence of controls)

• Facilitate interactions with authorities when required (national cybersecurity agencies, law enforcement)

Remediation and security advisory

• Advise, when appropriate, on the deployment of emergency cybersecurity solutions (EDR, monitoring)

• Validate conditions for the progressive reopening of Internet access

• Ensure hardening measures are integrated into the reconstruction plan

• Support the definition of criteria for pre-restart control checkpoints

Human and logistical management

• Alert management to the risk of burnout among key personnel

• Monitor team cohesion and morale throughout the crisis and raise alerts if degradation could jeopardize crisis operations

Preparing for crisis exit

• Define objective exit criteria with the decision-making cell

• Prepare the handover to internal teams for the return to normal operations

• Contribute to organizing the post-incident review

• Identify security initiatives to be launched after the crisis

Of course, every crisis and every organization is different, so the balance across these areas can vary. Some internal functions may fully take over certain tasks from the crisis lead—but he or she must still maintain visibility over them, either to contribute directly or to enrich collective decision-making.

Today, this role is better understood, yet remains just as difficult to staff (internally and externally). It is often split across several profiles, particularly within organizations. But this inevitably increases the coordination burden—which is then frequently outsourced.

After another crisis ended, a CTO confessed: “I wasn’t convinced we needed you. But I get it now. You were the glue.”

That’s the crisis lead role: the glue nobody sees until everything falls apart without it.