All publications
Articles

"Don't be afraid of crises!" Feedback from Corinne Lossy, expert in IT Transition Management.

Corinne Lossy, Transitional CIO

Corinne Lossy Dajon, IT Transition Manager and former CIO, has several years of experience in managing and transforming information systems within large companies. As a leader, she has intervened in major crises, particularly in cybersecurity, project management, and merger operations. 

In this interview, she shares her experience of crisis management, illustrated in particular by the management of the Log4j vulnerability, which left its mark on the entire IT sector in 2021. She also discusses the factors that trigger crises, the importance of KPIs for detecting weak signals, and best practices for organizing an effective response.

His testimony sheds valuable light on how a CIO or Transition Manager can structure his crisis management, combining method, responsiveness and leadership.‍‍

The scale of IT crises: beyond cyber incidents

IT crisis management is not limited to cyber attacks. Many situations can turn into full-blown crises if they are not detected and managed in time, from system obsolescence to failed projects and governance issues.

Of course, each situation must be analyzed to identify the right moment to activate the crisis management system. In all crises, there is one common denominator: the need for rapid action. The priority is to protect systems (technical or application), data and people (internal employees or partners, end customers).
As CIO, I've been confronted with many different types of crisis, each requiring a structured, tailored approach. One of the major lessons I have learned is that preparation and anticipation are the keys to effective crisis management. When a problem arises, it's not improvised solutions that get the situation back on track, but the ability to immediately activate previously defined and tested management systems. Roles and responsibilities are essential, and everyone must be at his or her post!

The Log4j crisis: an organized response to a global threat

One of the most striking crises I've had to deal with was Log4j, a major vulnerability discovered at the end of 2021. This critical flaw was quickly exploited by attackers around the world, putting many information systems at risk.

At the time, I was CIO of a large group, with a very substantial IT estate made up of heterogeneous legacy systems. As soon as the breach was announced, we noticed an increase in the number of attempted attacks on our infrastructures. In view of the scale and potential impact of this global breach, I decided to activate the operational crisis unit with one priority objective: to protect systems and data, even though we had advanced protection systems in place. 

This decision was based on the warning signals we had detected and the ANSSI's recommendations. 

One of the 1st major measures taken in this context was the immediate closure of access to the Group's websites, a preventive measure aimed at protecting our systems from possible intrusions, and above all our customers. This decision, taken over a weekend, necessitated rapid and effective communication with all the Group's departments, in particular the Deputy Managing Director, the Director of Communications and the Director of Customer Relations.

To gain their support and limit the impact of this closure, it was essential to provide them with a concise, factual analysis:

  1. The immediate risks involved and the likelihood of the vulnerability being exploited on our infrastructure.
  2. Protective measures in place to justify the need for a temporary shutdown.
  3. Action plan to ensure safe return to service.

Thanks to effective coordination between the IT teams and other departments, we were able to manage this crisis without any major incident, and gradually restore our services in a secure environment.

The objective during a crisis of this nature is to protect oneself first and foremost. Rapid action is therefore essential, ideally combined with concise communication to avoid unnecessary alarm. But it's better to act quickly and then explain, rather than the other way round.

The importance of anticipation and indicator-based management (KPIs)

This episode highlighted a fundamental principle of crisis management: a well-managed crisis is first and foremost a well-anticipated crisis.

In my experience, rigorous monitoring of KPIs is one of the most effective ways of detecting weak signals and intervening before the situation becomes critical.

During my Interim Management assignments, I pay particular attention to examining these performance indicators, in order to understand :

  • What are the structural dysfunctions that prevent an IT project or activity from running smoothly?
  • What levers can be activated quickly to turn things around?
  • How can internal communication be structured to ensure that decisions are understood and applied effectively?

Anticipating the crisis: information and training

Effective crisis management rests on two essential pillars:

  1. Information: as soon as the first weak signals appear, it's crucial to organize a crisis unit, to structure the listening process, to summarize the facts, to take rapid decisions and to communicate to all those involved in the crisis and potentially impacted by it,
  2. Training: good crisis management training prepares you to react effectively. It's not just a question of knowing procedures, but also of training your reflexes, confronting unexpected situations and practicing crisis management outside your area of expertise.

Why am I not afraid of seizures?

Crisis management doesn't scare me, because it's based on a defined process and on skills that are acquired and reinforced with training.

  • On the one hand, I've prepared for it: throughout my career, I've regularly taken part in crisis management exercises, in which I've learned to structure my thinking, make decisions under pressure and mobilize the right teams.
  • On the other hand, a crisis is not something you have to endure: you choose to activate a crisis unit in order to manage a critical situation before it gets out of hand. Activating a crisis unit is therefore an act of control, not a panic reaction.

My main recommendation is to train regularly in crisis management, including subjects outside your area of expertise. Expanding your comfort zone is the best way to learn and develop emergency reflexes.

In these training sessions, it is essential to change roles: a CIO must be able to experience the management of an HR, financial or logistical crisis, ... Post-exercise debriefing is just as crucial: it helps to identify what went well, what needs to be improved, and how to optimize decision-making and communication. 

Last but not least, getting to know the people on the ground individually is a major asset. A well-managed crisis depends on the right distribution of roles. It is therefore essential to identify each employee's strengths in advance, in order to put together the most effective team of experts in a crisis.

The role of leadership in times of crisis

Crisis management is not just about technical procedures. Human resources management is fundamental. 

In a crisis situation, teams are often under intense pressure, sometimes working 24/7. It is essential to ensure that :

  1. Maintain transparent, reassuring communication to avoid counter-productive anxiety.
  2. Identify employees in difficulty and adjust their workload to prevent burnout.
  3. Encourage team involvement by rewarding the efforts made and giving meaning to the actions carried out.

Effective crisis management thus depends on the ability to mobilize teams, give them a clear vision of the issues at stake, and ensure rapid, consistent decision-making.

Conclusion

IT crisis management relies on rigorous preparation, precise monitoring of weak signals, and structured responsiveness. The key lies in the ability to detect alerts in good time, put in place appropriate systems, and mobilize teams around an effective, concerted response.

A crisis must never be suffered: it must be mastered. Anticipation, method and leadership are the pillars of successful crisis management.

Customer expresses need within 24 hours

Enrichment of requirements by Infortive experts

Drafting and validation of mission statement

Identify the most suitable Interim Managers in 48 hours

Presentation of interim managers at the client's or Infortive's premises

Infortive's recommendations on candidate selection

Transition manager's ownership of objectives

Defining mission communication

Mission kick-off

Mission monitoring by a mission manager and implementation of a mission monitoring schedule

3-week astonishment report and realignment of objectives

End of mission report

a close up of a circle with an arrow pointing to the center
a close up of a circle with an arrow pointing to the center
Others
Articles
Articles
The green conscience of CIOs

What are the best green IT practices for IT departments?

All
Articles
CIO: How can you maintain your independence from your cloud provider?

How can you maintain your independence from a Cloud provider? Find out more about CIOs' fears and the best solutions.

All
Articles
Transition manager or consultant: how to choose?

How do you choose between an IT Transition Manager or a consultant?

All