Engaging Leadership in Cyber Crisis: The Role of Realism and Storytelling - A conversation with Daniel Valdepeña

Engagement in Crisis Scenarios

0:00If this scenario is not realistic enough or closer to what they see or to what they matter, they won't be engaged.

0:22Hello, everybody. This is Belen Santaolalla from Conductor Crisis Exercise Platform. You're listening to the Crisis Designer Podcast, where we explore tips, thoughts and ideas to help you design better crisis management exercises. Whether you're into crisis response, reputational risk, business continuity, information warfare or immersive simulations in general, this podcast is for you. As you know, in each episode, we bring in experts and practitioners who share their real world insights, tools and techniques to help us all strengthen our work in resilience and crisis design.

Guest Introduction

1:06Today, I'm very excited to welcome Daniel Valdepeña-Cross, Senior Risk Analyst at Nestlé. Daniel is a cybersecurity governance, risk management and compliance specialist based in Barcelona, with over five years at Nestlé, leading a range of initiatives from ISO 27001 reviews to cyber crisis exercises. He supports and coaches stakeholders in improving their security posture and collaborates closely with technical teams to maintain strong security controls.

1:39He's also creator and co-host of an internal security podcast. And most recently, he has piloted a cyber crisis immersive simulations project to train leadership through realistic tabletop exercises. Daniel, Daniel, it's a pleasure to have you with us on the Crisis Designer Podcast. How are you today? Hi, Valen. Thank you for inviting me. I'm doing great. And greetings also to everyone listening. Fantastic. So let's get this party started.

Role at Nestle

2:11What is your role at Nestlé and what do you focus on day to day? So, well, as you said, I'm a senior risk specialist, which covers multiple areas, especially on the compliance side. And I would say that I do anything that I get assigned to. And as a senior, I think that we get assigned the new projects or difficult projects. In this case, one of my main areas is the immersive simulations project.

2:42We started it as a tabletop exercise initiative. So we need to train management on how to respond for a cyber crisis. And now we evolved this software, this service offering to now making it immersive simulations. So that's mainly my role at the moment.

Immersive Simulations

3:02Mm-hmm. Okay. So what brings up the need to make the simulations immersive? Okay. So first of all, it's an evolution, a natural evolution of having a tabletop exercise program. So having management exposed to how a cyber crisis may develop in the real world. At first, we started with just the document-based tabletop exercises, which were good.

3:34But we realized that we needed to bring something that was more realistic based on how a cyber crisis develops. And a document-based exercise is limited to that extent. So what we decided is to try to pursue an RFP. We went through the whole process and found what was, at least for us, the best option. We decided, in this case, Conductor. And this is not sponsored by Conductor. This is just my personal opinion.

4:05And we've been using it technically for a year now. It's been two years with some extra support. But now we have built the internal capability of running those simulations ourselves. So the need is that we need to expose those who are decision makers to how a cyber crisis happens. And to make them aware that a cyber crisis is effectively a business crisis.

4:37And why do you think this is important for organizations today? Yep. Well, first of all, because it's not a matter of if it's going to happen to your company. It's a matter of when it's going to happen. So for that, the decision makers, the ones that are on top management, need to know what decisions they need to take, how they're going to trigger certain processes to respond to the emergency for the sake of the business, but especially for the sake of the people.

5:14So the main item is people's safety, of course, and there are other types of continuity and quality related simulations, but I'm based only for the cyber crisis ones that may impact the others. For example, if we have a cyber crisis, let's say a ransomware infection in a factory, well, it may impact the production, may impact even the safety of the production.

5:46So they need to consider what are the potential business impacts that derive from a cyber crisis. So even though it starts as an IT matter, and IT is there to translate the language to the business, in the end, there is a financial impact, there is a reputational impact, a legal impact, and those are business decisions that management need to take. So the relevancy is there that even if it starts as an IT matter, a server down or whatever, it may be a business impact.

6:24And in the case of a cyber attack, definitely ends up, as we've seen in multiple cases throughout the years, that it's a business crisis. Definitely. And do you think there's, what would you say is the biggest challenge in improving security across business units?

6:43I think that we can say that there, and I cannot speak in the name of the company, so I need to limit that part, but I would say that there's elements of maybe people not being that aware of how much a cyber incident may derive into a business incident, that lack of awareness. However, once you make them aware that that may happen, then it's like a Eureka moment.

7:23So they open their eyes and they then may panic a bit, and then they get the motivation of, we need to fix this. So that's what matters, right? So it's a challenge to first have them participate, of course. I mean, management in any company is busy. So to get them to sit for an exercise of two or four hours, it's quite difficult to get that in the agenda. And that is not my responsibility.

7:54I work with my colleagues in the different countries that we have. So it's their success story on how they engage with management, right? But it is important that nowadays students struggle that much, that they give that space to IT and to security, to speak. Because top down, at least in our company, it is important. It's, let's say, sponsored from top management. It is a well-known fact that is for survival of the company.

8:28So it is supported on that end. But still, it's like speaking another language for certain people, right? They're used to business stuff. They're not related to IT. Even us within IT, we don't know all the areas of IT, right? So in that matter, it's trying to translate the language of maybe from a technical perspective into the business side. To say, don't focus on this matter of the server. Focus on what is the result of that server being down, for example.

Designing Scenarios

9:02Got it. So taking into account that that's like a major point, like translating the IT matter into a business-relevant issue, how do you tackle the design of the scenarios? How do you start creating an immersive exercise?

9:20First, I think that what you need to consider is what is your threat landscape, right? So what is what your company is exposed to, and for that, it is important that if your company has a cybersecurity operations center, an incident response team, a threat intel team, to check with them what they're currently seeing so we can craft scenarios based on that so we can train the people, right? So that is the main tip that I may consider.

9:52It's not a one-person work, and the scenario designer needs to work with other teams that may know what's going on, maybe the factory security, maybe with the ones responsible for the crown jewels of the company, but what they see in a common basis. And then you need to consider that even though the narrative of the scenario may start as an IT matter to try to not focus on what would be the resolution of the IT side.

10:26So for that, you need the participation of those that would be the participation of those that would be in charge of it. In our case, the simulations include members of the cybersecurity operations center to try to first clarify what they would do in such situation and try to have the participants not deviate too much into that side, into an IT discussion. But rather, and that is clear for IT in each of the countries, that this is what we would do, but this is the consequence of it.

11:00So it means that this business process has been affected. So try to funnel the conversation into their areas, into what they would do in a real situation. So to take that into consideration when you're designing the narrative of the scenario, to not make it too IT heavy. Of course, it depends on what is the type of scenario that you're doing or type of exercise. If it's business continuity management or an IT crisis side, well, then you may have the freedom of making it IT heavy or technically heavy in terms of the language.

11:38But if it is for upper management, you need to try to, I cannot say that make it high level, but rather to just focus on the business side rather than on the IT matter. If it has a PCP, maybe it's not the right audience, so you need to think on your audience and rather to focus on what is the consequence on financial matters, for example.

12:08So after that research that you have to do and talk to the subject matter experts to extract the reality of the processes and the consequences of an event of this characteristics, how do you make the exercise to be truly effective?

12:33Well, first of all, we work with the SMEs. So meaning to make it realistic is the first thing. So if, for example, we're working for a specific country, we work with the technical expert of that country that knows the environment based on the scenario that we will be using to make it realistic, use real system names. Maybe we don't use real people's name just to avoid putting someone in the spotlight.

13:03But the intention is that we need to make it localized, right? So try to use terminology or things that are related to them so it's closer to them and then they will feel that this is happening. This is more realistic, right? And if, for example, you use generic English-based names or an exercise in, I don't know, Argentina, maybe it's not going to fly.

13:38Yeah. You need to localize it. That would be one of the main items. Work with the experts that know the environment so you don't go too Hollywood into that matter. We need to make it a bit dramatic, of course, just to add pressure, but try to make it realistic. And for that, work with the experts. Okay. It makes sense. So now you've experienced the transition from tabletop exercises and heavily based on documents or slideshows into immersive, interactive, dynamic exercises.

14:18What would you say are common mistakes when you're translating or transitioning from one type of exercises to other type of exercises? Well, the thing that I believed, let's say, first hand, is that the content that you have in a tabletop exercise is not enough for simulation. So you need to create way more content to make it dynamic. So in a document-based tabletop exercise, well, you may describe the situation, maybe simulate that an email is happening or a situation report or maybe a website screenshot, right?

14:58But it's not enough for covering the hours. So for a simulation, even if you translate that into the tool, speaking specifically of Conductor, for example, the content wouldn't be enough. So then you need to get your artistic hat on and try to get inspired to make it realistic and have more content. Let's say, let's say, using social media post simulation, using media, that's one of the best items in terms of an immersive simulation.

15:36You can emulate a call, you can emulate some videos, for example, news that are going on. So using those elements to make it more dynamic and more engaging, I think, is one of the first mistakes of thinking that what you have would be enough for an evolution of your program. It's not enough. It's an evolution. It's not just a copy and paste, right? Exactly. And that's the benefit of doing something immersive, that you're creating and recreating a world and it has to be lived in.

16:11And now we are using AI embedded in Conductor to create that rich media and lived in content. But do you think that that rich media and that content that you create to make it immersive is the key for keeping senior leaders engaged? Or are there some other elements that you should be taking into account when you are trying to engage leadership? I would say those elements help, but they're not enough.

16:43If the scenario is not realistic enough or closer to what they see or to what they matter, they won't be engaged. If they see a situation that is just maybe too far away for their consideration, maybe it won't be that engaged. So the media helps, the images help, the audio helps for sure. But how realistic and how close it is to them is the key to keep them engaged.

17:16Got it. And do you think their storytelling plays an important role in making the simulations impactful? Of course, of course. It's part of the narrative, right? So you cannot be too, let's say, harsh in one topic to the other or coding a conversation to the other. The narrative needs to flow. It needs to have some continuity from the beginning of the index to a closure of the scenario.

17:49So we don't use elements that are just independent from each other. We use the same narrative of the scenario from end to end to say, well, we conclude that this is based on the decisions taken. This is what has happened, right? Or this is what is pending. For that, for example, we use the pattern of life option. So it helps you get dynamic content because you cannot anticipate all the decisions that are going to be taken.

18:20So for that, you may have some good options. We have one scenario, for example, that has 12 potential outcomes depending on the decisions that are taken. Wow. So you need to be listening there. So that helps, right? It helps to develop the narrative and make it make sense. Just because it's one of the advantages that the immersive simulation has over a tabletop exercise that you can make a dynamic based on the decisions. In the tabletop exercise, for example, we saw situations that they would take decisions at the beginning of the exercise that would nullify the index at the end of the exercise, right?

19:05So we would need to step in and say, oh, well, as you're taking these decisions, don't consider this one anymore. So that has been reduced. Let's not say eliminated completely because there's other situations where they anticipate to the narrative. But with some of the options of different master event lists or having the pattern of life, it helps to make it dynamic and try to reduce that. So, yes, the narrative completely and the storytelling completely is a matter that you need to consider to make your scenarios effective.

19:43Of course. And in the end, the narrative manifests itself through characters, through personas. Is there something that you how do you tackle the creation of personas? So we use personas in three different ways. One is external entities, other is internal ones, and the other is just completely invented people. So, for example, if we want to have a scenario that considers an insider element, we're going to just invent the person.

20:16Obviously, we're not going to put someone in the spotlight saying, you might be an insider. Yeah, that might not go well. So we use that element. We use the external people. So, for example, the government reaching out if there is a personal data breach or, for example, media putting up an article once it goes public. So the person has helped to use the narrative, but an element that might be a variable, depending on how the conversation goes, is impersonation.

20:53So we've been using impersonation quite a bit to try to maybe engage with the participants and have them speak about something or just add pressure. We may impersonate even upper management asking for status, right? Even though you could put that as an inject, it's good to have it impersonating because if they say, oh, well, this person wouldn't speak like this, or now we have already engaged and we can say, oh, yes, I see your email now, thanks.

21:29So to make it more dynamic, so they are aware that we're trying to have them engaged, right? So the personas, it's pretty useful and also to maybe it's a bit, let's not say tedious, but it takes some effort to customize the personas based on the zone that we will be using or the country. So we may use the local language there in the social media profiles of the personas that we created.

22:05Then we have those reviewed by a person there to make sure that the translations are accurate. And we just try to make them as customized as possible to the extent possible because the bandwidth allows, right? Of course. So, yep, personas are pretty useful to make the content dynamic and use the impersonation for keeping them engaged. Okay, so you're talking like now about like the facilitation part of the exercise, because you're talking, you were saying that you need to listen in order to react and adapt the mail that you're playing or the pattern of life, like the reaction, social media, or you're also talking about impersonation.

22:57So role players are interacting, so role players are interacting, so how do you manage facilitation? Where's your approach to that? Okay, yep. So first we split the role in two. So we call facilitation and orchestration. The facilitation is the front end, the person that is going to be in front of the MBTs, saying, well, welcoming them, saying what is the purpose of the exercise. So on, and usually I'm the orchestrator, so I'm the one behind the wheels and the injects listening to the conversation.

23:36So I explain the platform. I explain the log application, for example. We use some injects to just make them familiar with the platform first, because that is important. Obviously, we're speaking about people that may not be too tech savvy. So it is good that you guide them first through the usage of the platform, and then you start with the simulation, with the real incident. So the facilitation, that way we split some of the responsibilities into people, so that way I can focus on the pace of the scenario, the injects that will be sent, and how the conversation is going.

24:20Because we don't automate, because we don't automate, or automate, rather, sorry. We don't automate the scenario. We don't leave, just let them running. We actually just put random timing, and I'm listening to the conversation, sending the injects, depending on how it's going. Because what matters is those conversations from the decision makers.

24:51So there's the value. You need to listen there. You cannot just overwhelm them with injects that may just skip or forget. And you need to send it at the right pace as well, being conscious of the time, but also to keep them engaged. So it's difficult. It's a case-by-case basis, but what matters is the value of the conversation. Fantastic.

After Action Review

25:17And when the exercise wraps up, do you do some sort of after-action review? How do you make sure that those conversations are turned into lessons or changes afterwards? Yeah. So it's twofold. Once it's a hot debrief, so we discuss there in terms of what we saw immediately, that they performed well or that they may lack a bit. They discuss on their own as well.

25:47So we just try to engage the conversation on what they saw that they might be missing, for example, and what processes they need to improve. And then afterwards, in the next few weeks, we work on a report with the observations and recommendations that they should be addressing or considering. And that's pretty much how it is. And then it's the responsibility of the SMEs there to follow up. But as we are on the security side and some of the observations may step out of our area, it's complicated to tell them what legal should consider this or communication should consider that.

26:32We just put there that as observations and recommendations, meaning that that is our perspective during the simulation. It doesn't mean that that might be the case, neither that we can advise on how to do it because it's not our area. So that is something important to consider that.

26:55I wouldn't suggest putting those as findings directly that they need to follow up. Because it would also break the dynamic and the commitment of management to jump in and have it. If they feel that they're being evaluated, maybe they'd be more reluctant on responding and to role play, right? So it's better to just advertise that as a training exercise and that you would definitely have lessons learned, but not findings directly.

27:27Got it. And can you share something about a particularly challenging or memorable simulation?

27:36Well, I work in a company that it's multi-language in terms of there are just many countries engaged. So even though the intent is to have the program in English, which is the main language used, I try to the extent possible to use the local language to make it realistic. So the difficult part there is I'm putting the rope on my own neck for my own productivity, but it's for the greater good, right?

28:14So it's difficult on that matter. And also it depends on the participants. There might be some that are more reluctant to role play, so that they may not engage and they see things from outside, let's say. That is difficult to tackle, but we try to observe that and put that into the report saying we would suggest to have this considered seriously, for example.

28:49There might be also, as this company, these big cultural differences in terms of how they address management, right? So those considerations, it's why it is important to work with the local SMEs in terms of trying to understand the culture. It is not the same how the U.S. would report to their management if you compare that with Japan, for example.

29:22Yeah. Totally different. How they need more details and have everything before they engage management, for example, rather than just keep them engaged, notify them. So that is something on a company as big that you need to have into consideration. The cultural differences, it's something quite important. The language barriers, and I think that's the most difficult part.

29:57Obviously, you need to, as with any project, define the expectations, because it takes time to design a simulation. And even though we have, or you can have templates for different scenarios, and you have a baseline, and there's some hours of customization that you need to invest in for the sake of what are your receivers. So those are the matters to consider it, I would say, in terms of challenges.

30:27Yeah, challenges, but it's a well-spent time because you make it personalized and it makes it memorable, which is kind of what you're looking for. And I also consider that as an artistic process, because you need to get some inspiration in putting it. So personally, I put up some music when I'm working from home, and just work through it. So, because, well, you need the right environment to keep you motivated, and just work through it.

31:02Because it takes a while. So you need to like it, or try to do the appropriate changes so you can like it. So you enjoy it, like a creative process itself. Nice. Well, okay. So this would be my last question. I'd really like to ask this question to wrap up our conversations. So what advice would you give your younger self starting out in this field? In the field?

31:33In my career, you mean? Yes. Maybe to know that being a senior doesn't mean that you need to know everything. Being a senior, now in my experience, maybe it's not that much. It's 13, 25, yeah, 13 years of experience.

31:58Being a senior doesn't mean knowing everything. It means knowing how to resolve problems. So most of the problems, it's a matter of, if you don't have the knowledge, either you can investigate, you can ask, you can engage with the people that knows the problem, and have them speak with the people that can resolve it. So, the soft skills might be more important than the hard skills to be a senior.

32:34That's what I would say, because at the first of my career, I tried to know everything that I could. And when I realized I couldn't, it was a reality check, right? So, and there was also an ego check. So, yeah, being a professional, you need to be professional, behave professional, and work as a professional. So, it's not a matter of knowing, it's a matter of being.

33:06Oh, my God. What a fantastic way to finish this up. I really like that concept, and I think that really applies to all of us who've been working for some years in what we're doing. And it's a matter of collaborating and sometimes being vulnerable to asking for help to make sure that the result and the problem is solved in the best way possible. So, well, Daniel, thank you very much for joining us today.

33:38It's been a delight to have you here, and I really wish that you have, like, a full year packed of exercises everywhere around the world. And thank you for taking the time to be here with us today. Thank you so much for you, Belen, to invite me, and thank you for your time, everyone, for listening. Thank you.

34:03Thank you.