Should I be conducting Cyber Exercises?

TL;DR. Probably yes. But you need to choose the right type of exercise.

Cyber exercises are a non-intrusive way of testing how an organisation would respond to a cyber incident. There are different types of cyber exercise and each is appropriate for organisations with cyber security programmes of differing levels of maturity. It is this variety of exercises that allows all organisations to get value from exercising.

For example, organisations who are just starting out with developing their cyber security programme may feel it premature to conduct an exercise. This belief likely arises from the misconception that exercises are a test where passing is the only thing that matters. It is therefore of little value to test something that has not yet been built. However a key benefit of exercising is that it provides a mechanism for people to conduct sensemaking and to try and understand the challenges they face.

It is therefore useful to conduct a seminar type exercise to allow people to begin engaging with the process. The seminar exercise develops the building blocks of how an organisation would respond to a cyber incident and begins to explore some of the frictions and challenges that lie ahead.

An organisation which has already invested some time and effort in developing policies and procedures, but still has work to do, would also find exercising useful. This is because exercising can be used to validate an ongoing approach and to see which initiatives are actually performing in a realistic scenario. In this situation either a workshop or table top exercise would be appropriate. This type of exercising is useful for quickly confirming if cyber security investments are delivering value and to continue with those that are and, more importantly, to stop those that aren’t.

An organisation with a mature cyber security programme can use some of the more advanced types of exercises to test that they remain well prepared in the face of a changing environment. Both the organisation being protected and the contemporary threat landscape are constantly changing. There is therefore an ongoing requirement to check that the existing policies and procedures are fit for purpose.