"It's important for them to see that the highest level of management is involved in trying to fix it," Fishback says, adding that face-to-face meetings are the only way to effectively convey that message and build the credibility and trust needed to move forward.
"They've got to know you've got some skin in the game and that your attention is fully focused on resolving the issue," he says.
Support your people.
Stress will be running high in the weeks after a crisis, with some employees even wondering if their jobs are on the line. But you won't get the best out of your workers if you let those doubts fester. Instead, back up your team.
"Acknowledge to the staff that you're not interested in boxing them around the head on why you're having a problem, but you're more interested in helping them solve the problem," says Fishback.
Shawn Ostermann, who served as interim CIO at Ohio University following the data security breach there, says he went to various meetings to show solidarity with staff but didn't call "all-hands meetings" that employees might see as wasting valuable work time.
On the other hand, he says he respected his staff's need for downtime, so despite the continuing crisis, he sometimes sent them out to grab lunch or to play volleyball to work off the stress.
"You have to be an advocate for [your] people," Ostermann says.
Move the organization ahead.
It might be tempting to take a break once the crisis has passed, but it's smarter to use that time while everyone is still engaged and energized to push through the changes that will prevent a repeat incident. The time after a crisis "is often a chance to polish up on policies," says Aon's McBride.
That means examining not only the organization's technology, but its people and procedures as well.
ChoicePoint did just that. Lemecha worked with other executives to conduct a process review following the 2005 security breach. As a result, they created or enhanced 90 policies and procedures to help prevent such a breach from happening again and added the new role of vice president of consumer advocacy.
Take a final look back.
Documenting your reaction to a crisis and holding a postmortem that examines your responses are crucial to learning from the event, McBride says. The postmortem needs to happen soon, while the incident is fresh in everyone's mind. This kind of analysis, he says, can help organizations develop "better and more efficient ways to respond to a crisis."
Want to learn more? See Seven Key Parts of an Incident-Response Plan.
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at marykpratt@verizon.net.
 |
||||
|
When you're coping with a crisis, sometimes what you don't do is as important as what you do. Here's some advice from CIOs who have been there: Don't create a power vacuum. You or a designee should be available to make decisions as your workers try to identify the technical fixes needed to contain the crisis. Also, make it clear when and how workers should escalate disagreements, disputes or any other problems that they can't handle. Don't promise anything you're not positive you can deliver. If you fail to deliver on promises, you can hurt your credibility and damage morale even further. Don't push through too much change too fast. Your staff can probably handle a few weeks of round-the-clock work, particularly if they are rallied around fixing a problem. But they'll quickly burn out if they're forced to implement numerous improvements in the immediate aftermath of a crisis. Don't be too hands-on. It's important to show solidarity with your IT staff, but you shouldn't spend too much time in the trenches. Instead, balance your time among all the constituencies you serve your workers, your colleagues, the public, the CEO and the board. -- Mary K. Pratt |
|
|
|
|
||||