In Partnership With

If you get a bunch of cybersecurity leaders round a dinner table and invite them to discuss how to prepare for worst-case scenarios, you’re bound to hear a wide range of strong opinions. Do it less than a week after one security vendor’s botched update had crippled business systems across the globe, and the thoughts and ideas are only going to fly around faster.

Cyberbit is the provider of a hyper-realistic cyber range that simulates a virtual Security Operations Center (SOC) with enterprise-grade networks, commercial security tools and live-fire cyber-attack scenarios. The Cyberbit platform offer businesses an opportunity to test both their cyber teams and their executives. During a RANT roundtable the company hosted, a lively conversation on training, wargaming and cross-business incident preparedness repeatedly circled back to a couple of key topics.

While everyone works and plans hard, there are differences in approach to the difficult task of instilling sound incident-response strategies across the whole business, and not just ensuring that security teams would perform well when the digital effluvia hit the networked fan. Ultimately, several of the CISOs around the table argued, however good your preparation is and however realistic the level of training you’re able to provide for your teams, the only time you’re really going to know how well the business will cope in a crisis will come in the middle of the real incident. And, thanks to Crowdstrike’s black Friday update, several businesses were feeling more confident about their preparedness, even if that reassurance had come at the cost of a sleepless weekend.

One security team principal, who works within the UK division of a global company with tens of thousands of staff and a turnover nudging half a trillion, detailed some specifics. “There’s IT that we own and manage, and there are services,” they said, noting that exercises run in any one of the dozens of countries they operate in are relatively straightforward, but that trying to involve staff in more than one territory would prove to be a significant challenge.

“But we did have a very good opportunity on Friday to work as a team,” they added with a wry smile.

“How many teams have prepared for a malicious software update taking their organisation out?” another CISO asked, rhetorically. “It’s always the unexpected that catches people out.”

These questions cut to the heart of the work Cyberbit does with its clients every day, agreed Rob Preedy, the company’s regional director.

“It’s very much about understanding complexity,” he said. “If we’re operating in a complex space where we’re not expecting something, how do we enable the teams to coherently and confidently work in an environment they weren’t expecting to be in?”

Preedy explained how Cyberbit’s cyber range offers allows security teams to carry out real-time responses to real-world attacks, using the same tools that are deployed in their business, and on systems that are configured to give an accurate representation of the actual networks they are employed to defend. Crucially, he argued, the ability to simultaneously exercise executives adds considerable value to the effort, revealing potential pinch points in every organisation’s internal policies and strategies – as well as the instinctive responses of individuals when put under crisis-level pressure – that can make or break the organisation.

Yet while the security leaders around the table seemed to broadly agree that including board-level decision-makers in these exercises had great value, different businesses have tried different ways of making it work, with varying results. When the executives are in the same room as the technical teams during exercises, all too often they try to micromanage the incident-response process, resulting in a reduction in training value to the tech staff.

One CISO argued that “there was value getting the executives in there and having them do things wrong,” but another warned that, when you’re bringing in the most expensive people in the organisation, there’s little point expecting them to sit on their hands and watch without interfering. Agreement was broad that this is an area that the CISO’s role was created for – to be that necessary buffer between the boardroom and the security shop floor – but there was also rueful shared acknowledgement that not every business, plunged into panic in the hours after a crisis breaks, will always remember how to allow its CISO to do the job they were hired to carry out.

Another leader suggested that separate exercises for executives are a better idea, because these allow them to concentrate on the “really important, very urgent things” the most senior decision-makers in the business would need to focus on during a cyber incident, and to rehearse and refine those responses without “the distraction of the tech team.” Yet another view expressed was that, while the ideal would be for the executive team to exercise alongside the cyber staff and for the former to allow the latter to get on with their jobs and provide enabling functions and support where necessary,

“in reality, your execs are all over your SOC. That’s the value of an integrated cyber range,” this security manager said. “It shows the execs how disruptive they can be.”

Preedy explained that Cyberbit’s approach seeks to combine the best of all test-and-evaluation worlds without compromising the underlying fundamentals the organisation is hoping to achieve from cyber incident exercising. Their structure keeps the executive team and the technical team separate, but allows for interaction where necessary, as determined by the organisation’s policies.

“Our exec testing is completely non-linear,” he said, explaining that it was this aspect that helped win a Crisis Management Exercise with 6 cross Government Departments. “What they wanted us to help with was to look at the decisions,” he added.

“Did these six government agencies all look at risk the same way? They also wanted to look at supply-chain risk in the cyber range environment because they didn’t want it to play out during a real-world scenario.”

Everyone seemed to agree that the value to using realistic simulation as a form of both testing and training was twofold. Firstly, for the technical personnel in particular but arguably for the executives as well, there is the benefit of ingraining best practice in crisis-mode decision-making, so that both individuals and institution build the “muscle memory” that will be vital if they are to respond quickly and in the most constructive and useful manner when that unexpected emergency arises. But secondly, and perhaps most importantly, exercising should help empower staff to ask better questions of each other, and of the business as a whole.

“For me, the questions people ask are important,” one of the security managers present said, summing up the mood around the table. “The exercise is not a script or a process or a step-by-step guide – it’s, ‘What questions should you be asking, and who should you be directing them to?’ It’s teaching them how to ask questions, rather than teaching them how to do something.”


For more information on how Cyberbit’s hyper-realistic cyber range can help your organization prepare for the unexpected and enhance your crisis simulation exercises, visit the Cyberbit website here. You will find detailed insights into their approach, case studies, and resources to help you better equip your teams and executives for real-world cyber incidents. Or connect with Rob on LinkedIn here for a personalized message.