The art of expectation management
08:00 Monday, 04 October 2021
UK Cyber Security Council
Have you ever sat on a train that’s going nowhere? Leaves on the line, points failure at Crewe, the wrong type of snow? This correspondent spent a chunk of his life on a 90-minutes-each-way commute between London and somewhere more rural, and one of the key learnings was that expectation management is not just a thing but a critical thing.
The railway company I used had a large-ish team of Senior Conductors, with the mood of the train population depending primarily on which one you had. In the event of the train stopping for no apparent reason in the middle of nowhere, most of them would be conspicuous by their absence/silence. If you were on Brian’s train, though, you were informed.
If you stopped unexpectedly, Brian would tell you why. If it was because something broke, Brian would tell you what broke. He’d tell you where the engineering team were coming from, and how long it would take them to be here. If his experience told him that you were likely to be stuck there for a couple of hours, he’d tell you that you were likely to be stuck there for a couple of hours. It didn’t get you moving any more quickly, but the fact that you were informed meant that you could call the other half and let him/her know, and in my case it generally led to another beer being procured from the buffet car.
Expectation management is absolutely critical in IT in general, and cyber security in particular. Situations can change rapidly in cyber security: one minute your world is fine and half an hour later you can be making the decision to take down the core file server because ransomware has landed. In no time at all the business can go from working normally to not really working at all, and during that latter period it is essential to keep people informed.
Yes, it’s a bad thing for people not to be able to work, or for customers not to be able to access your online shop. But you can’t change the amount of time it will take to figure out what’s going on, stop the attack, and get systems back up and running. What you can do is manage people’s expectations. If you tell the business that the systems won’t be back up today but you’re fairly certain you can fix them by the morning, this gives them the information they need to take the decision to go off and do something else that doesn’t need the systems. Not only that, but by communicating proactively to them it means they won’t all be getting in the way of the incident response by trying to call you to find out what’s going on. Even public-facing systems need expectation management: yes, it’s bad that your online shop has stopped working, but at least you can mitigate customer sentiment by telling them what’s going on.
So yes, while communication is critical, the last thing you need when you’re fighting a cyber attack is to lose significant time and resources to the need to communicate. But if you take just a few moments to do some expectation management, you’ll thank yourself later.