Cyber Incident Exercises - Part 5: From Exercises to Resilience
This is the fifth article in the current series on cyber incident exercises. This article emphasises the importance of regular exercising as part of an integrated approach to operational resilience.
Key points:
Conducting a programme of exercises is more efficient and more likely to deliver measurable outcomes than a series of one-off exercises.
Exercise programmes should be part of an integrated approach to strengthening operational resilience across an organisation.
The challenges of conducting a series of exercises should not be underestimated, but effectively delivered exercises can be an important tool for any organisation.
Introduction - adopting a programmatic approach
In the previous articles in this series we have explored why organisations might conduct an exercise and the different formats of cyber incident exercise. We considered the requirements for the design of the exercise scenario, as well as some of the challenges in designing exercises for executive-level participants.
In each case, the focus was on a single exercise. However, in this final article in the series, we will make the case for moving from an approach focused on one-off exercises to one focused on programmes of exercising. By conducting regular cyber incident exercises, as part of a broader integrated programme, organisations can develop their operational effectiveness and resilience.
Regular exercising
The NCSC in its guidance on cyber incident exercises highlights the many benefits of conducting exercises as programmes rather than single events. In summary, a programme of exercises is more efficient to deliver and more likely to deliver measurable outcomes.
At an administrative level, it is more efficient to organise and seek approval for a programme of exercises than a series of individual exercises. For senior leaders within the organisation, approving a programme of exercises signals a strong commitment to addressing cyber security risk.
Conducting regular exercises also removes the temptation to try to address all of an organisation’s objectives through a single exercise. As earlier articles in this series described, introducing multiple levels of the organisation into an exercise increases its complexity and resource requirements (see Article 2). If an organisation is committed to a programme of exercises then it may be preferable (depending on the organisation’s objectives) to exercise different levels of the organisation separately.
Organising a programme of exercises allows for lessons identified in one exercise to be carried over into the next. Conducting multiple exercises also allows for comparison over time, which can help to demonstrate exercise outcomes and return on investment to internal and external stakeholders, including shareholders and regulators.
An integrated approach to operational resilience
Beyond adopting a programme approach to exercising, the next step is to integrate that programme into a broader organisational plan for training and assurance. This plan will incorporate programmes of exercises alongside other means of testing and strengthening an organisation’s people, processes, and technology. It might also mean exercising with partners and suppliers that are assessed to be critical to an organisation’s resilience.
For organisations earlier in their journey towards resilience, this plan will require organisational transformation. For more mature organisations, the focus will be on ensuring that processes and structures remain fit for purpose as the organisation changes and develops, amid a changing threat and regulatory environment. In both cases, exercises can be an effective tool for testing existing arrangements and considering means for improvement.
Such a programme would build in complexity and integration over time. Moreover, given the inevitability of cyber security incidents, it is likely that incidents - even crises - will occur during the life of the programme. Rather than being a problem, a crisis can be a powerful opportunity to accelerate the pace of change, accelerating organisational maturity.
Conclusion
This series has explored cyber incident exercises, underlining the value that they can bring to organisations seeking to address cyber security risks and develop operational resilience.
Conducting an effective programme of cyber incident exercises is not a trivial endeavour. Throughout this series, we have emphasised the importance of first clearly articulating the desired objectives of an exercise. We have pointed to the importance of internal engagement across the organisation, as well as of working with external stakeholders and partners. Failing to clearly specify objectives and to engage appropriately can undermine an exercise even before it is delivered.
Despite these challenges, the benefits of cyber incident exercising can outweigh the risks. Well conceptualised, designed, and facilitated exercises - ideally delivered as programmes - conducted as part of an integrated organisational approach to developing operational resilience, can deliver significant return on investment for an organisation. By following best practices and working with specialist external partners, an organisation will find that cyber incident exercises are an effective and engaging means of addressing cyber risk.
Learning points:
Planning to deliver a programme of exercises is more time efficient than conducting a series of individual exercises.
A programme of exercises allows different objectives to be addressed in separate exercises, reducing the complexity and resource requirements of individual exercises.
A programme allows for lessons to be carried forward between exercises and for comparisons of performance over time.
A programme of exercises should be one part of the organisation’s broader approach to strengthening operational resilience.
Tyburn St Raphael is experienced at delivering cyber incident exercises. Whatever your goals, Tyburn St Raphael’s seasoned cyber incident exercisers will work with you to deliver the right exercise for your organisation. You can learn more about our cyber incident exercising offering here [executive TTX] or get in touch with us at info@tyburn-str.com.
