What are cybersecurity fire drills?

As a cybersecurity professional, you’re asked the same question every time you meet with your executives or Board: 

“What’s the worst that can happen, and how prepared are we?”

Deep down, you know you don’t have a great answer.  It’s not because you aren’t doing your job, but because you don’t have the right tools:  

  • You can describe how many employees watch your security awareness training videos, but you have no confidence that they actually paid attention.
  • You can point to the weekly tests in your breach and attack simulation software, but those just prove that your antivirus, firewall, and phishing filters are working. 
  • You can describe the cyber range simulations your team has run, but these focus on tool training, not decision-making and critical thinking.
  • And you can try to get your executives or Board to go through a tabletop exercise, but only a handful of people will show up, and only a few will do all the talking.  

As an industry, we need a better way to test “layer 8.”  We need tools that show how your entire team would actually behave in real-world attacks.  

Enter Cybersecurity Fire Drills

When the stakes are high, simulation is nothing new.  Pilots use flight simulators.  Surgeons run practice surgeries.  Commercial buildings run fire drills.  

Why do simulations work so well?  

  1. Muscle memory.  Repetition means people make the right choices when it matters.
  2. Engaging and fun.  Games, not boring videos or PowerPoints. 
  3. Highly relevant.  People are being tested on what they need to know for their job.
  4. Immediately actionable.  You know exactly what failed, and how to fix it.
  5. Scalable.  Run the same simulation across your whole team, not just a few people. 

A cybersecurity fire drill is a series of online games that let you see how your whole organization would perform when faced with real-world attacks.  They’re fun and engaging, unlike security awareness training. They focus on people, unlike cyber ranges and breach and attack simulations.  And they’re scalable and take just a few minutes, unlike tabletops.  

Here are two ways that cybersecurity fire drills have helped real companies:

  1. The CEO of a software company wanted confidence that his entire team would know what steps to follow if their Google Workspace was attacked.  He sent a cybersecurity fire drill out to all his employees.  While each employee only spent 1-2 minutes playing the game, he quickly saw who made critical mistakes.  He also received a list of common mistakes that his team made, so he could address them with training and follow-up.
  2. The CISO of a global manufacturing company had just trained his worldwide I.T. team on their new incident response procedure.  A few weeks after the training, he sent a cybersecurity fire drill game out to the I.T. team.  Each employee played the game for 10-15 minutes.  He was disappointed when he saw how poorly his team did, but grateful to have learned this in a simulation rather than a real attack.  He also liked seeing exactly who failed and why.  And he had the ability to re-run the same simulation after doing additional training and process changes, to demonstrate progress. 

An Answer Your Executives Will Love

Cybersecurity fire drills are the best way to make sure your company is prepared for real attacks.  Each employee spends a few short minutes playing a fun, simple game.  Once they’re done, you get clear, actionable intel that shows your overall strengths, weaknesses, and recommendations for improvement.  You can take corrective action, re-run the simulation, and show metrics-based progress to your executives and your Board.  You’ll finally have a great answer to the question of “are we prepared.” 

Image credit: redflower, AdobeStock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Josh Ablett

Josh Ablett, CISSP, has been worked in cybersecurity for almost 20 years, implementing cybersecurity programs that have passed audits by various regulatory agencies and building security programs compliant with regulations like NIST 800-171, HIPAA, GLBA, and state privacy laws. Josh has worked with companies of different sizes, from small teams of 5 to large organizations with up to 50,000 employees. Josh served as vCISO at AdeliaRisk and SVP/Head of Fraud and Global Insider Threat at the Royal Bank of Scotland (RBS). Josh is a co-founder at ChaosTrack.
LinkedIn