Cyber Crisis Consulting Beyond Deliverables: Building Lasting Capability in the Public Sector

Highlight-image

At ISCRAM 2026 in The Hague, Max Tijmann and Rosa Edema, consultants at Bureau Veritas Cybersecurity, presented and won the award for Best Practitioner Insights & Perspectives paper reflecting on a challenge that continues to surface across the public sector: cyber crisis management is frequently supported through external expertise, yet rarely designed to leave organizations stronger and more independent in the long run.

The paper, Cyber Crisis Consulting Beyond Deliverables, draws on hands‑on experience from a real‑world engagement with a Dutch public organization operating in a critical sector. Rather than focusing on a single assessment or exercise, the engagement evolved into a broader reflection on how cyber crisis consulting can and should contribute to lasting organizational capability.

When support does not equal resilience

Public organizations increasingly depend on external consultants for cyber crisis management expertise. This is understandable: cyber threats evolve quickly, internal budgets are limited, and competition for skilled professionals is intense. However, the paper argues that many consultancy engagements unintentionally reinforce dependency.

Traditional approaches often emphasize tangible outputs such as reports, playbooks, or tabletop exercises. While these deliverables have value, they do not automatically create understanding, ownership, or the ability to act independently when a real cyber crisis unfolds.

The consequence is familiar: once consultants leave, knowledge dissipates, responsibilities remain unclear, and organizations revert to ad‑hoc responses when pressure rises.

Image in image block

A shift from deliverables to ownership

The case described in the paper shows a different approach. During the engagement, it became clear that cyber crisis response could not be treated as a purely technical or isolated domain. Instead, it required alignment between cyber expertise, IT operations, incident management, and existing crisis management structures.

Together with internal stakeholders, governance structures were clarified, internal ambassadors were identified, and shared responsibilities were defined. Rather than “delivering” exercises, the focus shifted toward transferring knowledge, building routines, and embedding cyber crisis management within existing organizational processes.

This approach allowed the organization to gradually take ownership of its cyber crisis management capabilities, with external consultants stepping back into an advisory and validating role.


Three key insights for cyber crisis consulting

Based on this experience, Max Tijmann and Rosa Edema identify three core insights that are relevant to many public sector organizations:

  • Cyber crisis consulting should go beyond one‑off activities. Long‑term resilience requires deliberate capability building, not isolated assessments or exercises.
  • Effective cyber crisis management is inherently multidisciplinary. Cyber response must be integrated with IT, incident response and traditional crisis governance.
  • Consultants have a professional responsibility to prevent dependency. Sustainable resilience means helping organizations become capable of operating independently over time.
USP

Cyber Crisis Consulting Beyond Deliverables | Practitioner paper

Building Lasting Capability in the Public Sector

Download

About ISCRAM

ISCRAM (Information Systems for Crisis Response and Management) is an international conference bringing together researchers, practitioners and policymakers working across physical, digital and hybrid crisis domains. Its strong “pracademic” orientation makes it a valuable platform for sharing lessons that bridge theory and day‑to‑day operational reality.

Presenting this paper at ISCRAM 2026 offered an opportunity to contribute practitioner‑driven insights to a broader international conversation on crisis management and resilience.

Image in image block

Why choose Bureau Veritas Cybersecurity

Bureau Veritas Cybersecurity is your expert partner in cybersecurity. We help organizations identify risks, strengthen defenses and comply with cybersecurity standards and regulations. Our services cover people, processes and technology, ranging from awareness training and social engineering to security advice, compliance and penetration testing.

We operate across IT, OT and IoT environments, supporting both digital systems and connected products. With over 300 cybersecurity professionals worldwide, we combine deep technical expertise with a global presence. Bureau Veritas Cybersecurity is part of the Bureau Veritas Group, a global leader in testing, inspection and certification.