Cyber drills on a weekly basis? Making it mission possible

Question 1

1. Where do you get the inspiration for designing different cyber drills on a weekly basis? Do you have a set of rules/criteria for designing them?

Answer

I have three main sources of inspiration. The first is, whenever I or someone on my team encounters an issue or problem, I ponder if that can be used in a scenario. I have a OneNote page where I write those all down and try to incorporate them into a future scenario. The second way is I read a lot. I read about incidents in the popular media, read vendor threat reports, and especially case studies (like the British Library and City of Helsinki incidents). In all of my security reading, I also look for issues that would be good to incorporate into a scenario. And finally, I ask Microsoft Copilot for ideas.

Question 2

2. How do you get the organisation to commit on doing them so often?

Answer

I think it is worth breaking this down into the people who participate in the drills and management above me. When I first started doing the drills, I thought we would do them weekly for a couple of months and then scale back to biweekly or monthly. What I did not expect is how much the team would love doing these drills. I asked them if they wanted me to scale back and they said no—they said this was their favourite meeting of the week and they wanted to continue.

From the management side, there was recognition when I started that we needed to help the team get some experience making decisions during an incident. After doing these for a few months, management above me saw the results across decisions made by my team members, so the program was fully supported.

Question 3

3. What would be your advice for organisations/CISOs willing to start cyberdrills in their organisations?

Answer

You can do these without a lot of overhead. I use AI to help me build out scenarios based on an outline I provide it. I released a toolkit earlier this year which has a set of 80 scenarios we used (that have been sanitised) along with some of the prompts I use. Feel free to use those to help jump start a drill program. [They are available at: https://bit.ly/cyber-drills]

Question 4

4. Do you have any advice on getting the management team on board? How is it in your case with getting the approval to dedicate time for weekly practices?

Answer

We limit these to one hour a week. While that limits the complexity of scenarios, the purpose is to focus on making decisions and you do not need an overly complex scenario for that. I am sure in most organisations, there is at least one hour a week spent in a useless meeting—reprogram that time to a cyber drill! Giving your team some practical experience making decisions at a relatively low cost, should be an easy sell. The results should then show you made the right decision.

One additional note, these drills are not a replacement for doing a larger cyber exercise in your organisation. The drills help build capability to make technical and business decisions you encounter in an incident, but a larger cyber exercise makes sure your processes, plans, and procedures are tested.