Tom Sharpe OBE is a crisis communications consultant and leadership mentor with a distinguished 25-year career in the Royal Navy, where he commanded four warships. Awarded the Order of the British Empire for his service, Tom now applies his leadership expertise to help organisations strengthen their communication strategies and protect their reputations. Communication consultant working for Qorvis and Special Project Partners, which he co-founded.
Tom Sharpe OBE: Mastering the Crisis Communications Playbook
In the high-stakes world of cybersecurity, a breach isn’t just a technical failure, it’s an existential threat to your brand. When systems fail, the speed and unflinching clarity of your communication are just as vital as the technical recovery. We sat down with Tom Sharpe, a seasoned expert in crisis communications, to dissect the essential playbook businesses must master when a cyber crisis strikes.
Tom shares brutal, real-world examples, exposing why silence is a deadly strategy, the catastrophic peril of unchecked CEO ego, and the crucial, non-technical preparations that act as a multimillion-dollar insurance policy for your company. If you are determined to seize control of the narrative, mitigate maximum damage, and emerge from a crisis looking decisive and competent, this interview is mandatory reading.
Why Crisis Comms is Critical During a Cyber Crisis
Eliza May Austin
When it comes to cyber attacks, everyone thinks their department is the most important, and businesses quite rightly want to focus on keeping the business operational or bringing it back to operational depending on the circumstances. Why would you say crisis comms is so important during a cyber crisis?
Tom Sharpe
You must actively manage your reputation and fill the vacuum. Silence is detrimental, and if you do not communicate, someone else will
In the early stages of any crisis, you need to release a statement that suggests you are in control, even if you are not entirely. This is vital for building stakeholder trust and stabilising internal morale. Business continuity is essential, but with cyber incidents, it is perhaps even more critical because the nature of the crisis is an attack, not merely an unfortunate incident. Someone is deliberately targeting your business. This makes all principles of crisis communications doubly important: to fill that vacuum and build trust.
You want to assure your internal audience, who will naturally be feeling uncertain, that you have control over the nefarious actor. This could be, and these days is most likely, a foreign state. They are attacking you, and you need to assure your team that you have the situation under control.
Case Studies in Crisis Comms: Good, Bad, and Ugly
Eliza May Austin
Do you have a story about a company that handled crisis comms well versus badly? And what were the key differences?
Tom Sharpe
My last job in the Navy was as the Defence Secretary's naval spokesman, giving me vast experience in crisis communications. This raises a crucial distinction: what constitutes crisis comms versus merely reactive comms? At the Ministry of Defence, we faced daily reputational fire from national papers, dealing with situations a normal company would label a crisis as routine reactive comms. There's a sliding scale, and it's important to clarify that not everything is a crisis.
Consider two shipping examples. The first, Maersk (M.K.), is an exemplar of good crisis communications. In 2017, a malware cyberattack disabled their tracking, booking systems, and worldwide terminals, costing an estimated $200 million a day. Crisis communications is vital for limiting such figures, as the damage extends beyond IT to people's confidence. The trade-off between what you say and what you do is key.
Maersk responded quickly with an excellent holding statement that provided all the necessary reassurance. They rebuilt about 4,000 servers in ten days, and their leadership was visibly open throughout. Post-incident, they publicly detailed what happened, how they handled it, and what they learned. This fast, accurate response likely saved them hundreds of millions of dollars.
The second, an unnamed shipping company, faced a less severe ransomware attack disrupting cargo tracking. Their crisis began badly when a journalist broke the news on LinkedIn: "I think this company has been cyber-attacked." They delayed their holding statement for about three days, during which their entire system stalled. They lacked the necessary processes, and there was no joined-up action between communications and IT, causing them to grind to a halt.
Often, I see CEOs dismiss crisis preparedness, saying, "I have got this. We do not need to do any of this. When the crisis happens, I will just look down the camera and I will style it out." That's the quickest way to get it wrong. While you don't need complex, multi-phased binders, you absolutely need something in place to avoid an outcome like the second example.
Another striking example is Bell Pottinger, the communications agency that entered administration in 2018. Their job was protecting reputations, yet they couldn't protect their own. The central lesson is simple: do not do dumb things. No amount of crisis comms skill can save you from a fundamental error. They compounded their problems with self-inflicted harm in their attempts to manage the fallout. These are diverse examples of good, bad, and frankly stupid approaches to crisis communications I've witnessed firsthand.
Maersk responded quickly with an excellent holding statement that provided all the necessary reassurance. They rebuilt about 4,000 servers in ten days, and their leadership was visibly open throughout.
Balancing Speed and Accuracy: The Holding Statement
Eliza May Austin
So when a breach is unfolding and facts are still unclear, how do you balance speed of communications with accuracy to avoid putting out the wrong information?
Tom Sharpe
The bottom line in crisis communications is that the first few hours are absolutely critical for establishing your narrative before someone else does.
Tom stresses that this isn't the time to be figuring things out; you need instinctive, almost military-like responses, which means ditching the once or twice-a-year simulations and drilling much more often. He suggests a simple, two-page guide is all you need: one page with the 'hit squad' call list, and the next with a check-off list and guardrails to prevent rushed, incorrect statements. This framework then moves into a 'respond' phase to establish the truth and quickly formulate a holding statement, the bare skeletons of information to show you're in control, followed by phases to clarify and recover.
Ultimately, having this procedural rigour, including severity grids to dictate your response time, ensures you control the situation and prevent the CEO from panicking and doing something unhelpful.
Essential components for this initial phase include:
- A simple, two-page guide for the first responder.
- Page 1: A Call-Out Sheet listing all relevant ‘hit squad’ members, their primary, and backup contact numbers to avoid scrambling during an emergency.
- A Check-Off List to ensure a structured response, preventing hasty mistakes and ad-libbing.
- Phase One: Respond. Establish the truth (what, who, severity, and time to fix). Use a severity grid to colour-code the crisis, which dictates the timeframe for issuing a holding statement (e.g., half an hour, six hours).
- The Holding Statement is absolutely key. It should be brief and show you are aware and in charge (“We are aware of incident X… investigation ongoing… inappropriate to comment further.”). This manages the situation without risking the release of wrong information.
- Pre-drafted materials for likely scenarios (cyber-attacks) should be ready for the holding statement.
This initial rigour assures the CEO and prevents them from panicking or acting unhelpfully, connecting the call-out list, severity assessment, and holding statement. After this first phase, you move into the clarify, pivot, and recover stages to grip the narrative.
"Your responses are instinctive... the muscle memory is not there, and the trust is not there between the departments." (In reference to not drilling enough)
Legal vs. Regulatory Transparency In A Cyber Crisis
Eliza May Austin
If your legal team insists on withholding specifics for liability reasons, but regulators demand transparency, how do you decide which audience to prioritise in real time?
Tom Sharpe
My first thought to that is - If your legal team is concerned about the level of detail in your communications, you are likely oversharing. Especially in the initial days of a crisis, your messaging should not cause a legal headache.
Look at the Maersk statement as an example: "We can confirm we have been hit by a cyber attack named Petia. We have contained it. We are working on a technical recovery plan. We have shut down a number of systems at this point." They then listed the working entities. It was clean and focused on what was working well, avoiding specifics about failures that could worry lawyers.
The statement was tidy, prompt, acknowledged the scope, offered reassurance on safety, outlined actions, and set expectations. There was nothing for a lawyer to object to. This highlights the importance of pre-planning. If lawyers are questioning what you include, you are probably sharing too much.
If you must release technical information, you need a priority list of your target audiences (there could be twenty) and you must tailor your message accordingly. Ultimately, this problem is as big as you make it, and you can generally avoid legal issues by carefully choosing your messaging.
The Value of External Comms Support
Eliza May Austin
Does relying solely on an internal team during a crisis pose risks, such as complacency or inadvertently oversharing information due to deep internal knowledge?
Tom Sharpe
The real advantage of bringing in an external crisis communications team is their ability to challenge the spokesperson or CEO more effectively. In highly hierarchical organisations, like the shipping companies I mentioned or the MoD, internal staff are often reluctant to tell a minister or senior executive, "Actually, this is rubbish." This is where external consultancies have a distinct edge over internal comms teams; they can agitate the system in a way internal groups are more hesitant to.
However, this effectiveness decreases when the goal is to break down internal stovepipes and encourage departments that don't typically communicate to start talking. Therefore, integrating the internal communications team is absolutely essential. Ultimately, unless you're specifically hired only to manage a crisis as it happens, most of the work involves training the internal team to handle things themselves. That's been my experience. So, once you've finished asking all those difficult questions and are ready to walk away, you need to assure the client that the team you're leaving behind is fully capable of taking over and continuing the work from where you left off.
“This is where I think external consultancies have the edge over the internal comms teams; you can agitate the system in a way that internal groups are more reluctant to.”
Handling a Journalist with Better Crisis Information
Eliza May Austin
If you discover mid-briefing that a journalist has more accurate breach details than you have released, do you acknowledge it on the spot or stick to your planned line, and what would you advise a CEO to do?
Tom Sharpe
I think to an extent, this depends on what phase you are in. If you are on Phase One, where you are literally just trying to respond, I think you are probably better off at that point sticking with the holding line. Most journalists, in my experience, will comply with that.
But then you can start getting into the negotiating space: does this person have real reach and influence, and therefore should we start considering perhaps an exclusive relationship? You could tease them with snippets of information that others do not have, which is part of building your network of allies. Can you convert whoever has this information into something of use, or are they just coming for you?
I suppose it depends on the nature of the crisis. But if you have been hacked, there will often be an element of sympathy about that. You have been attacked. So, generally speaking, you can build a rapport with the correspondents and maybe find out where they are getting this information from, because it could be of use to you. You are still trying to rebuild your systems and get your business continuity back on the go. Why is it that they know more than your IT team? Have that conversation with them. So, you have got to be quick and you have got to be honest.
The Single Most Important Piece of Advice
Eliza May Austin
If the reader takes nothing else away from this interview, what would you like that one piece of advice to be?
Tom Sharpe
Plan it, then practice it. That's the essential takeaway. Get the awkward questions addressed now and put a system in place. It doesn't need to be complicated, but you must practice. It won't work at 2 AM, which is precisely when mistakes happen, when you'll disclose something you shouldn't. A crisis can be an opportunity. It will generate a lot of coverage. Initially, it won't be favourable, almost by definition, but people have short memories. Sometimes they'll remember you long after they remember the reason why.
You can handle a crisis well. Maersk is a great example; they managed it so professionally, aggressively, and fast that they emerged looking highly competent. You won't achieve that thinking you can handle it in the middle of the night. Maybe the CEO can, we've all seen semi-geniuses in this respect, but you are drastically increasing the chances of making a bad situation worse, harming your reputation.
So, prepare. Be clear on what is reactive, how much of that can be pre-planned, and what is routine communication. Know exactly when the line crosses into a crisis, and then react accordingly. The simple answer to your excellent question is: plan it, then drill it.
Eliza May Austin
Tom, your insights have been invaluable. The message is crystal clear: a cyber crisis is not the time for improvisation, and silence is a deadly strategy. You've underscored that the difference between a Maersk-level recovery and an administration-bound disaster is preparation, drilling, and having that 'instinctive, almost military-like response.'
Our readers now know that a simple two-page guide and a well-drilled 'hit squad' are more effective than a CEO's untested confidence. The single most important takeaway, as you put it, is to "Plan it, then practice it."
In the high-stakes world you've described, muscle memory is the only thing that works at 2 AM. Do not wait for a breach to discover your weaknesses.
Ready to build the muscle memory your team needs to survive a cyber crisis?
At th4ts3cur1ty.company, we specialise in transforming theory into instinctive action. Our Cyber Defence Tabletop Exercises (TTX) are designed to pressure-test your crisis communications and technical response plan against realistic, high-impact scenarios, exactly the kind of proactive drilling Tom advocates for. Stop planning for a crisis and start practising for success.
Visit our Cyber Defence Tabletop Exercises page today to secure your organisation’s reputation and ensure your team is ready to control the narrative when the attack inevitably comes.
