There are two main objectives that organizations typically focus on while reducing cyber risk. First, reducing the frequency of cyber incidents materializing, which usually comprises traditional cybersecurity measures and risk mitigation activities. Second, reducing financial loss and other impacts to the organization when they occur, which is where cyber resilience comes in. In achieving both these objectives, cyber simulation exercises play a central role because people have a major role to play in preventing, detecting, responding and remediating cyber incidents.
In certain high-risk environments, organizations may find it impractical to solely prioritize prevention and detection. In such cases, it is beneficial to shift focus towards building resilience, including response, containment and recovery of incidents. Equipping all stakeholders in the organization to handle these challenging situations should be a priority, and allocating time efforts, and resources towards this strategy is advisable. Now, let's delve into the key elements required to design simulation exercises aimed at enhancing cyber resilience.
1. Preparedness
The element of preparedness is similar to the French culinary concept of “mise en place,” which describes the notion of being well prepared in advance for a hostile and dynamic work environment: the setup, the ingredients, the tools needed for cooking. This can also apply to cyber exercises — understanding the organization's systems, processes, security approaches, and vulnerabilities; designing realistic scenarios based on specific security concerns (i.e., ransomware, supply chain attacks, DDoS, advanced persistent threats) and measuring how various stakeholders respond and react to different situations.
2. Relevance
The scenarios and tests being conducted must be relevant and contextual for the audience that is participating and must be tailored to the organizational objectives. For example, while dealing with the security team, simulations should be more focused on individuals that are operating a SOC (security operations center) or security analysts responsible for managing endpoints and cloud environments. Ensure that the exercise aligns with the organization's culture, technology, and security expectations. The exercise should be designed in a way that supports the organization's technology and security strategies, ultimately meeting the desired objectives by the end of the exercise.
3. Immersion
Simulation exercises must be immersive enough so that participants believe they are dealing with a real-life incident. To create a scenario that’s more realistic, facilitators can seek participation from key internal and external stakeholders. Internal stakeholders are basically employees while external stakeholders can include customers, suppliers, business partners and insurers.
4. Challengingness
“Challengingness" is meant to express the quality or degree of something that is challenging. Simulation exercises should be engaging, intellectually stimulating and competitive. One way to achieve this is by implementing the exercises as dynamic games using custom applications. External stakeholders, such as actors playing the roles of media or government representatives, can provide real-time feedback to participants. The idea is to challenge the audience, pushing them to test their quick-thinking, decision-making, communication, delegation, stakeholder management, incident coordination and other skills needed for an effective cyber response.
5. Responsiveness
There’s a famous quote, "No battle plan ever survives first contact with the enemy." It means that regardless of how much preparation is done, or how well documented a processes or the playbooks are, security leaders are never quite know for sure whether people will perform exactly how they’d expect them to, particularly when dealing with a lot of uncertainty. Security leaders need to test and test regularly; they need to test with various audiences and test how the audience responds even to the most unlikely or adverse cyber conditions. They also need to look at how the organization transitions from response to containment, all the way through recovery and resumption.
Cyber simulation isn’t just resilience, it’s also cyber assurance
It’s important to appreciate and understand that a cyber simulation exercise is just one of many assurance activities to perform within an organization to infer how ready an organization is for a major cyber incident. Just like conducting a security audit, a controls gap analysis, a business continuity test, pen testing, red team, blue team, purple team testing etc. a cyber simulation exercise is also complementary to other assurance activities. Again, the results of other assurance activities will influence and shape how these cyber simulation exercises should be designed and how they should be run for the respective audiences. When looking at the observations and findings from these exercises, it’s often very clear that there are several implications for organizations, both in their ability to respond to a major cyber incident as well as long term risk implications.
Instead of waiting for a crisis to strike and then scrambling or panicking, it is advisable that organizations adopt a process of preparation and improvement. Working with an outside partner that is independent of office dynamics and workplace politics may be the best option. Cyber simulation exercises are about future-proofing cyber resilience, serving as an assurance activity to assess an organization's readiness for cyber incidents.