5 ways Cyber Exercises can help your organisation
Objective assessment of existing security measures
Cyber security programmes are not cheap and in the modern business climate every pound spent needs to be justified. There are two ways to test if your cyber security investments are delivering value. The first is to wait for a real incident to hit and to see how things pan out. The second is to exercise and test those investments in a realistic scenario. One of these will be more painful and expensive than the other.
Developing an immature cyber security programme
Developing a cyber security programme from the ground up is hard. There is a huge amount of advice, guidance, frameworks, standards, products and services to choose from and it can be overwhelming. Exercising helps provide operational context and keeps you focused on what actually performs in realistic scenarios. Exercises can be constructed for differing levels of maturity and at differing scales so you can test and validate as you build up your programme.
Regulations, such as the NIS Directive, are placing increasing emphasis on testing the cyber security policies and procedures of organisations involved in delivering critical national infrastructure. Exercises are a specified way of doing this.
Platform for learning
Cyber exercises provide a sensemaking experience around which people can learn. Narrative based exercises provide a much richer and more effective learning environment than classroom or web based training programmes. They also provide the flexibility to discover new issues that hadn’t been considered by the exercise scenario developers. This helps to discover mission critical frictions in a safe and controlled environment.
Cyber exercises provide a powerful platform for messaging. There are a variety of audiences that could be engaged from senior leaders to the public or regulators. Cyber exercises could be used to highlight the maturity of a cyber security programme to senior leaders to seek their support for existing or further investment. Similarly it can send a powerful message to the public and regulators that the organisation takes cyber security seriously and is doing all it can to prepare for an incident.