What is a cyber exercise?

A cyber exercise tests the incident response of an organisation. They focus on business impact and can be considered as pentests for people and processes. They allow organisations to develop and rehearse their incident response procedures in a safe and controlled manner. They offer a pragmatic way to understand and benchmark the impact of a cyber security incident and so allow improvements to be objectively tracked over time.
Cyber security has been an issue for organisations for a number of years now. The security industry has predominantly been positioned to manage this issue by applying technological solutions. Pentests are one such solution and they are conducted to identify issues with IT systems and configurations. Once the issues are identified they can be addressed in one way or another.
Cyber exercises do essentially the same “issue finding” as pentests except they aim to find issues in how people work and not in the technology they use. Cyber exercises are a complimentary activity to pentests and not a replacement. However, as they focus on business impact they can be used to inform decisions about where and when risk controls, such as pentests, should be deployed. This can ensure that constrained security budgets are allocated effectively.
Up until recently there has been a limited market for organisations who want to test their incident response in a realistic but practical way. The NIS Directive however has driven a surge of demand in conducting cyber exercises with all organisations that fall within the Directive’s remit required to conduct one annually.
Cyber exercises focus on the business impact of a cyber incident. This allows the potential cost of various incident types to be estimated and so inform cyber security investment decision making. The mechanics of the incident are also addressed in detail and so provide an engaging and effective educational experience for people in the organisation who don’t normally engage with cyber security.