How to build an effective cybersecurity simulation
Most people groan at the prospect of security training. It’s typically delivered through dull online videos or uninspiring exercises that fail to capture real-world urgency.
To make a real difference in cyber crisis readiness, personnel need the opportunity to test their mettle in a crisis, to build the muscle memory and decision-making skills that will make a difference when a real attack occurs.
This is where cyber simulations come in, by providing the opportunity to assess knowledge recall and judgment under the pressures of a genuine crisis.
But building an effective cyber simulation is not a simple process. Incorrect implementation can result in simulations becoming another tick box exercise, or could even have an adverse impact, with staff feeling they wasted their time on an exercise where they didn’t learn or accomplish anything.
So, what should organizations actively do to make these simulations as real and valuable as possible?
Step 1: Define the objective
To be valuable and avoid becoming just another compliance exercise, skills development needs a clear purpose.
Deciding the focus and delivering the program will typically be the responsibility of the CISO as the most senior security leader, or the head of resilience. However, there should be a strong collaborative aspect, with input from security, disaster recovery, and other involved teams.
To make a real difference, there must be a threat-led approach. Identify the most relevant threats to your company based on its unique structure, industry, and regulatory landscape.
It’s important to have a clear idea of the specific skills and processes you want to validate. This could be technical capabilities, executive decision-making, cross-team coordination, or a combination of factors.
Simulations must challenge actual weaknesses and stress points, not just reinforce strengths for an audit report. Without this element, exercises will become a tick-box formality, doing little to improve the workforce’s skills or prepare them for a cyber incident.
Indeed, regulators like the EU and the UK’s Financial Conduct Authority are increasingly demanding justification for chosen scenarios. Why did you pick that attack vector? Why that kind of simulation? Did you push your organization appropriately in terms of severity and plausibility? How do they know that you challenged yourself and are not just going through the motions?
Step 2: Build a realistic but challenging scenario
Once a purpose has been defined, it’s time to consider the scenario itself. One of the most important factors is striking a balance between realism and complexity. A scenario that is too simple and easy won’t provide much value, but one that is too complex and challenging will lead to more confusion than learning.
Consider the way athletes train. They spend a lot of time repeating the same exercises to build muscle memory, but they also need to push themselves to improve.
Ensure core competencies are in place for severe but plausible threats – and then push further.
What’s a catastrophic black swan event that could conceivably hit your company? Dealing with a crisis like that is where the real learning starts to come in.
It’s also important to regularly update simulations to reflect evolving threats instead of repeating past exercises. Throwing in unexpected new challenges can keep participants on their toes.
Step 3: Set up the technical environment
Next, it’s time to look at the nuts and bolts of making a simulation experience.
The goal is to create something that feels as realistic as possible but never use live production systems—stick to test networks. It’s also important to ensure all participants know it’s a test. You want them to be pressured but not unnecessarily stressed.
A badly executed exercise can create friction by exposing poor decision-making in a way that embarrasses someone rather than finding ways to inform and educate. This is costly in terms of both resources and time but also in creating the right culture across your business.
Typically, the best approach is a pre-built cyber range that has been customized to reflect the real environment of your company. The more functionality it has, the better the experience will be for participants. This includes both the structure and the expected network traffic.
Ideally, actions taken during the simulation should reflect impacts on the actual operations of the business.
For example, a team might stop a ransomware attack, but at the cost of knocking over the company’s customer-facing website for a day. How bad will that be for the company? What could the cost be? What’s the plan for handling this outage and communicating with customers and stakeholders?
A scripted attack sequence is easier to arrange and less resource-intensive, but live cyber experts can enhance realism and provide a red team opportunity if an in-house team is used.
Step 4: Involve the right people
In addition to the details of the simulation program itself, it’s important to have the right people take part. SOC teams and IT practitioners are the company’s first line of defense, so naturally, they will be key participants.
Executives and other senior decision-makers are another important group. They will be the ones making critical decisions such as how to respond to ransomware demands or the strategy for crisis communication with stakeholders.
However, cybersecurity has long stopped being just an IT problem. It affects the entire business, so cross-departmental participation is critical for cyber readiness. As such, representatives from business units like HR, legal and PR should also be involved. They will have a key role in managing the internal and external impacts of a breach.
It’s worth rotating participants regularly to avoid “exercise fatigue” with the same handful of people repeating the same roles without learning anything new. You would never do a fire drill with just a small handful of employees, so why keep running cyber exercises with the same limited group?
It can also be very difficult to line up exercises that align with multiple senior executive schedules. In my time at Citi, it was close to impossible to get many the most senior people in a room at the same time. Therefore, planning a rotating list of participants in advance can help compensate for this.
Further, it can be a useful exercise to change up role assignments and put more junior positions in the hot seat every once and a while. Afterall, what happens if a breach occurs while your CEO and CISO are both on a flight back from a conference? Someone needs to be ready to step up.
Step 5: Measure outcomes and refine strategies
Once a simulation exercise is completed, post-exercise analysis is just as important as execution. It’s essential to move beyond the “we ran the exercise and done” mindset and really assess the results.
Highly granular data is important here, letting you delve in by department, team, and individual performance. The most important metrics for success will depend on the objectives for the exercise, but factors like response times and decision-making quality under pressure are common points to assess.
Findings should then be put to practical use, from updating individual employees’ development plans to implementing new processes or solutions to fill newly identified gaps.
Results will also serve as a benchmark for future exercises, assisting a culture of continuous improvement. It’s a critical mistake to rest easy just because a simulation went well. Just because an incident was handled well once doesn’t mean it always will be.
Achieving real cyber crisis readiness
Cybersecurity simulations are not just a compliance exercise – they build real-world resilience, helping companies prepare for a genuine crisis.
The time to discover gaps in skills and processes and find out the impact of a botched defense is during a safe simulation, not during the middle of an actual attack. If done well, they reduce response times, improve decision-making, and ensure organizations are prepared when a real attack occurs.
Above all, it’s important to always look ahead. Train for what could happen tomorrow, not just what happened.