Let’s be blunt: For management, cyber attack simulations and drills can be a hard sell. Although “cyber resiliency…is increasingly a concern for mission owners,” according to MITRE, management doesn’t always see how exercises translate to enhanced cyber resilience. They may think simulations cost too much or create unnecessary distractions from real work, or among other objections, simply aren’t a priority.
These barriers can be overcome, but only if you have a strategy for working past common misunderstandings among management, about the purpose and value of cyber attack simulations. This blog unpacks how to do that by discussing the most common challenges we encounter when pitching simulations to managers and the practices we’ve developed for working past them.
Common objections to cyber attack simulations
Although more and more companies perform periodical exercises and realize their value, many senior managers tend to instinctively be a little dubious of the value of cyber simulations. The most frequent objections include:
- Misunderstanding what simulations actually entail: Often, management believes that simulations mostly cover the technical aspects of how to respond to a cyber attack, instead of addressing how the business as a whole should react. For that reason, they view them as having limited value, and as being useful only for the technical part of the business.
- Cost concerns: Facilitating cyber attack simulations comes at a cost, and if management looks only at this direct, upfront spend, they may think it’s not a must-have investment. However, in reality, the money spent on simulations can pay for itself many times over by minimizing the financial impact and reputational harm of an actual cyber incident.
- Time sinker: Managers sometimes think that cyber exercises require too much time and effort – including on their own part. They’re not completely wrong about the time commitment; effective simulations do necessitate several focused hours on the part of management to prepare and execute the simulation. Of course, the time investment pays off in the form of having proper “muscle memory” to effectively respond during a cyber attack, but management doesn’t always recognize that fact easily.
- Low priority: In some cases, managers see the value of cyber attack simulations, but they don’t treat them as a priority, or rank it highly on their to-do list. They don’t expect a real cyber attack to occur anytime soon – despite the fact that cyber breaches are now one of the most pressing risks to any organization – so they don’t feel urgency to perform simulations.
- Dismissing simulations as a “test” or audit: Some managers perceive simulations as simply a test or an audit – and one that their businesses will likely fail, since the simulations will reveal weaknesses in cyber response planning. They don’t realize that the actual purpose of a simulation is to ensure that participants gain the experience and guidance necessary to respond effectively to a real attack, rather than being an exercise that the business is supposed to “pass” under simulated conditions.
All of these objections reflect misunderstandings of the nature and purpose of cyber attack simulations, as opposed to genuine reasons not to perform a cyber simulation. Nevertheless, they’re objections that businesses must get past in order to achieve buy-in for cyber simulations.
Want to hear more about how we conduct cyber simulations?
Top pointers to achieve management buy-in
Overcoming those objections boils down to a three-pronged approach.
Cyber Simulations save money
First, emphasize that simulations can save significant amounts of money in the long run. Effective simulations are by far the most cost effective and easiest way to prepare for an attack and minimize the disruption and financial harm that it causes the company.
There is a clear and proven correlation between the readiness level of companies and their ability to effectively manage a cyber event and recover with minimal damages.
Senior managers instinctively recognize the value of saving money, so this argument tends to carry a lot of weight. By presenting simulations as a money-saving rather than money-costing venture, it becomes much easier to get managers on board.
Training in cyber simulations protects business reputations and client relationships
Going further, it’s important to emphasize to management that the value of simulations extends beyond just saving money and just the technical aspects. It also helps to protect client relationships and defend the reputation of the business – assets on which you can’t necessarily place a dollar figure.
To put this another way, managers should understand that simulations protect the business in its entirety, including but not limited to its financial interests.
The multiple stages of simulations
To emphasize that simulations involve more than just walking through the technical facets of attack response, it’s valuable to highlight that simulations are broken down into three stages – each of which presents an opportunity to enhance response plans.
The first phase is preparation. Preparation creates opportunities for stakeholders to ask questions and probe response strategies for weak points. The preparation process will already put the company in a better situation to face a cyber attack.Then comes the second phase, which is the simulation itself – an opportunity for identifying unanticipated gaps or weak points in response plans so they can be addressed before a real incident occurs. The last and most important stage is having an “after-action” report with specific recommendations and action items that needs to be addressed by the company.
What happens when companies already have a business continuity plan?
In certain cases, we run into situations where the business already has some kind of business continuity plan, making managers even less keen to invest in cyber attack simulation.
The best approach to take in this case is to emphasize that simulations present an opportunity to put plans to the test. Oftentimes, businesses have continuity plans, but they never (or rarely) test them until disaster strikes. Simulations offer a means of finding problems with the current plan in order to improve upon it and make it as effective as possible before a real cyberattack occurs.
A tailored approach to simulations
At Cyberstar, where we specialize in cyber resilience and response planning for maritime and logistics companies, we know what it takes to get a buy-in for cyber attack simulations from across the business. We use an approach wherein we tailor simulations to the business’s unique needs.
We start by understanding the business, its internal processes, its culture and its liabilities. We also learn about its systems and infrastructure and how they map onto business resilience. From there, we build simulations that are designed to reflect with as much accuracy as possible exactly how a real attack would impact the company. Using this context, we can vet the business’s response plans – or lack thereof – and help the organization to prepare for whatever cyber attackers might throw at it.
This strategy reflects our special approach and our deep experience working in resilience planning, particularly for the maritime and logistics industry. Talk to us today to learn more about our unique perspective and ability to help businesses derive maximum value from simulations: