Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Erlend Andreas Gjære is a co-founder @ Secure Practice & SheSpeaksCyber. He has studied security and people for 15 years, including six years as a research scientist, with a focus on training, awareness and culture, behavior and incident response. In 2017, he became a tech-founder at Secure Practice, to help people with digital security at scale. He has delivered more than one hundred preparedness exercises across Norway and Denmark, through a tour concept of free events to increase cyber preparedness among thousands of small and medium enterprises, with support from the European Cybersecurity Competence Centre (ECCC), and winning the European Digital Skills Award 2024 for this effort. We asked Erlend to share how to get both the management and operational teams engaged in practice sessions, trainings, etc.
1. From your experience, what is the recipe for getting the management team on board to do trainings, practice sessions, ttxs, etc.?
Executive management have a lot of different topics on their plate, and cybersecurity is only one thing to deal with. Make sure you do your best to understand the business they manage. Show them how you are also there to support the business, rather than preaching technicalities over their heads. You are simply their peer who also happens to be an expert in cybersecurity. Keep in mind also that everybody loves a good story – including management – because relatable stories are more rememberable. Therefore, try inviting them in on a little piece of storytelling with an incident that could have a real business impact.
Never underestimate the ability for management to understand complex problems, so you don’t just intimidate them with fear, uncertainty and doubt. Rather, focus on interfaces and decisions where management can actually play a part, and on impact this has on business continuity, safety and reputation. Then, try letting them do more of the talking, and understand any shortcomings themselves. In my experience, there is no better way to get buy-in for mitigating measures than when they figure out the need on their own.
Finally, remember it is always helpful to build relationships – indeed very human ones, to obtain the trust you need to be in the room with them. And to keep building their trust in you as a business advisor.
2. What about operational team?
Operational teams are naturally more concerned with how specific tasks are done than management in strategic exercises. You can always use storytelling to provide context with this audience too. The challenges you pass along should probably allow for more time and attention to details, including actually solving various tasks.
For communications, this could mean writing a press release on the incident at hand. Within an IT environment, this could include e.g. writing scripts or searches for key information of interest. It could also involve getting a new kind of attack vector thrown into the mix, and you’ll need to actually find out whether the organization may be vulnerable to this.
The level of detail needed may however also be a slight risk here, in particular for IT professionals. If a key premise for the exercises is wrong, e.g. an exploited vulnerability which is not actually present in the environment, some could get caught up in arguing about that as an issue. Apart from getting such details right, setting clear ground rules for the exercise is another way to remediate this risk. Simply share very explicitly before you begin what is the purpose and desired outcome(s) of the exercise, and how should we engage with each other and the scenario at hand.
3. Do you design different trainings for different industries and sectors (e.g. public, private, financial)?
We have now engaged more than 5000 companies in preparedness exercises across events the Nordics and Baltics, and across all sectors, both public and private. While our free exercise events target small and medium sized enterprises in particular, many of the dilemmas and decisions that come up are similar to even the big ones. There are of course differences in capacity and capabilities, and definitely in terms of dependencies. The most challenging scenarios are maybe in companies which depend on operational technologies (OT). IT and OT systems exist under different priorities, and strategies for both patching, maintenance and availability with backup systems may be vastly different.
But this is the same everywhere: the existence of processes in an organization, and the assets which these processes depend on. If there is a disruption to these processes, people will need to somehow keep things going anyway. Exercising with the people who are involved in this processes, the same who are affected by disruptions, allows them to make the experience feel tailored anyway – just make sure to not lock up too many technical details in advance. This is what co-creation looks like in practice – it is not just top-down.
4. What makes the training/practice session successful for you? How would you advise the organisations to measure the success/impact of such activities?
First of all, one can measure the exercise experience itself, and happy participants are always a joy to have during the debrief afterwards. Then, we should look at the action items which came up during the exercise – will there be any clear tasks to solve right away?
If the exercise included management, it is more likely that you’ll have support and budget available in the room already. Seeing in particular such calls to action from management is a thrill to end the session with. If they are engaged, simply let them do the talking during the debrief and use your momentum to move your efforts forward.
Finally, I think seeing actual measures being implemented is the ultimate success metric. We asked former participants about this in Denmark, six months after they had been through our national exercise scenario. We found that 48% of participating companies had implemented or improved their crisis preparedness plans, with any measures that come along as a consequence. Based on the total number of participants, that translates to thousands of companies actually taking action.
5. What about frequency of doing them? Any tips?
A typical traditional pattern we see is that an exercise per year is the goal. Some organisations struggle to get started with their first exercise ever, and some spend a lot of time preparing really advanced set-ups, because they really care about making it worth the time for management. Instead, we believe that storytelling never goes out of fashion. And since exercises are really good for this, why don’t we model a lot more of organisation development around them?
I’d claim the more time and effort is allocated for doing an exercise, the more you do them. Obviously, you’d have to get people to take time out of their schedule to participate, but consider that the purpose here is not just compliance. And exercises don’t need to be longer than other meetings, it is all just a matter of learning objectives.
What if exercises are simply a great way to deploy organisational learning, all year-round? We’ve found that companies who adopt exercises as something more than a one-off have more happy learners, better learning retention and more tangible outcomes from training efforts. It is all about storytelling, combined with the co-creation effect from people having good adult conversations about mutual needs and challenges. This is why we’ve created PrepJam, our tool to make exercises something more than just a one-off every once in a while. With interactive features to ensure engagement every time, the scalable participation model of PrepJam allows even hybrid and remote exercises to work well. Our library of pre-made scenarios includes real-life situations shared by our customers and users, so that you can simply press play to get started.
Other news and stories
SOCcare December 2025: RondoDox Campaign: Routers Beware
Designing an engaging and realistic TTX for an organisation
Weekly cyber drills? How to make them a mission possible
How to design and lead multi-organisational and multi-national TTXs?
NRD Cyber Security liquidates NRD Bangladesh
What impact might NIS2 have on Africa?
What impact might NIS2 have on South America?
