Cyber Incident Exercises - Part 4: Executive Exercises

Exercising
Written By Patrick M

This article is the fourth in a series on cyber incident exercises. This article looks at the benefits and unique challenges of conducting cyber incident exercises for executives.

Key points:

  • Cyber incident exercises can help executives prepare for the rigours of responding to a cyber security incident.

  • A key focus of such exercises will be on communication, ensuring that the exercise focuses on strategic challenges, while retaining the necessary level of technical fidelity.

  • Exercise organisers will need to apply the same lessons to engagement with executives before and after the exercise itself, developing rapport and conveying outcomes effectively.

Introduction - preparing executives for cyber crises

In the second part of this series, we noted that cyber incident exercises can be conducted at different organisational levels, from the operational level to the board level. In this article in the series we will focus on delivering exercises for executives.

When a cyber incident occurs, it can rapidly become a crisis for any organisation - potentially even an existential crisis. In this context, executives are expected to lead and to be seen to lead.

However, of all the crises an organisation might face, those driven by cyber security incidents can be the most difficult to manage. Cyber security incidents are characterised by ambiguity, dynamism, and complexity, in a way that exerts unique pressures on executives and organisational structures. 

Regulators and shareholders therefore increasingly expect or require executives to train for cyber security incidents. Cyber incident exercises are a powerful tool for building executive-level familiarity and resilience. 

Format and design of executive exercises

As noted in the second article in this series, exercises can be conducted in live-play or table-top formats, and at different organisational levels. As a general rule, executive-level cyber incident exercises tend to be conducted as table-top exercises.

Time is the key factor, with the format of a table-top exercise maximising the value for executive-level participants who will be extremely time poor. The table-top format allows the exercise to adopt a flexible timeframe over the course of the exercise to explore strategic and downstream risks that eventuate over longer timescales. 

Executive exercises tend to be conducted at one level, rather than incorporating operational level participants, for the same reason. A live-play exercise in which operational teams are responding to an incident with ‘hands on keyboard’ in a simulated environment is likely to involve relatively long periods of uncertainty and inactivity at the executive level. 

Introducing multiple levels increases the complexity of an exercise, and will make conducting the exercise more resource intensive. Conducting an exercise that brings together executives and operational personnel at scale will be a time and resource intensive proposal, and hence the objective of the exercise and metrics of success will need to be spelled out in detail to ensure return on investment.

Communication and translation during the exercise

Cyber security is notorious for its use of technical jargon and at times deliberate obscurantism. The ability to translate between the technical specialists and the executives is a key part of any effective cyber incident response capability. The NCSC recently published useful guidance for cyber security experts on communicating effectively with boards. 

Executive participants’ focus is less likely to be on technical details. However, as noted in the previous article in this series, even as the granular details are abstracted in an exercise, they must retain technical credibility. Otherwise, the exercise risks perpetuating inaccurate understandings of technical details that could be unhelpful or even actively damaging.

The effectiveness of communication between operational, managerial, and executive-level personnel within an organisation may be one of the things that an exercise is intended to test. Alternatively, if this is outside the scope of the exercise requirements, then the organisers will have to simulate this aspect of the scenarios. Doing so is not just a matter of ensuring the technical credibility of material (see Article 3 in this series). For an executive-level exercise, part of the challenge of the scenario might be dealing with confusing or overly technical updates from operational-level colleagues. 

This underlines the importance of understanding organisational context, as explored in the previous article. If an organisation has a mature cyber incident response capability with skilled executive-level briefers then an executive-level cyber incident exercise should reflect that reality. However, if this is not the case, then the exercise should equally reflect the likelihood of communication breakdowns and challenges. The alternative would be to provide an unrealistic picture of how the organisation would function in an actual cyber incident.

Engagement around the exercise

Engagement and communication style is a factor outside the conduct of the exercise itself. The organisers of the exercise within the organisation itself, and any external partners supporting the exercise, should carefully consider their approach to communication with executive participants in the run-up to the exercise, during, and in subsequent engagement. Doing so is crucial for ‘selling’ the exercise internally and thereby ensuring that the right people, at the right level of seniority, are committed to being in the room for the exercise on the day. Failing to secure an appropriate level of commitment can undermine the purpose of the exercise.

Communications need to be pitched at the appropriate level of detail, illuminating the ‘so what’ for the executives in clear, concise language. This approach should also be reflected in post-exercise reporting and other deliverables. Organisers should seek to develop a rapport with participants and stakeholders across the levels of the organisation. For the organisers of a cyber incident exercise such rapport may more naturally occur with technical specialists at the operational level who share similar professional backgrounds and interests. It may be more challenging to develop such a rapport at the executive level. This is an area where external specialists can usefully partner with the internal organisers of an exercise.

Learning points:

  • Cyber incidents can present particular challenges for executives leading crisis response efforts.

  • Regulators and other external stakeholders are increasingly pushing executives to go through specialised cyber incident exercising.

  • Executive-level cyber incident exercises are most readily conducted as single-level table-top exercises.

  • Communication challenges and translation of technical detail are key aspects of executive level exercises.

  • The designers and organisers of executive-level exercises should ensure that they engage with executive teams in an appropriate manner to build rapport.

Tyburn St Raphael is experienced at delivering cyber incident exercises. Whatever your goals, Tyburn St Raphael’s seasoned cyber incident exercisers will work with you to deliver the right exercise for your organisation. You can learn more about our cyber incident exercising offering here [executive TTX] or get in touch with us at info@tyburn-str.com

Patrick M
Previous

Cyber Incident Exercises - Part 5: From Exercises to Resilience
Next

Cyber Incident Exercises - Part 2: How - the Format and Level