The Role of Senior Management and Your Technology and Information Security Department In A Cyber Breach Exercise

There are two things you must have in place before you begin planning a cyber breach exercise to ensure that the exercise will go smoothly. Both are critically important. You need senior management commitment and you need a willing Technology and Information Security department.

Senior Management and Cyber Risk

A wide-range of cyber risks have emerged in recent years and clearly no company or organization is immune. And just when you think you understand them, the threats morph, evolve, and change. High-profile losses of data stored on portable devices are growing. The Internet is producing new schemes that we could hardly imagine just a few years ago. What’s next? Governments are stepping up their involvement to implement laws which will hold the controllers and “holders” of data to higher standards in terms of cyber risk.

Senior Management Responsibilities

Senior management is subject to a number of obligations and duties, whether by specific regulations or legal statutes. These individuals have a duty to act in the best interests of the company and must ensure that the company has proper policies and procedures in place, as well as adequate systems and controls.

When a cyber incident occurs, the spotlight can quickly turn to senior managers and the role they play in securing the company’s valuable information. The brand and reputation of the company is at stake, and it will be tried in the court of public opinion. Affected third parties that suffer a loss may look to the company to recover their losses. These claims may allege senior management’s breach-of-duty of care or breach of confidence arising out of a loss of data. Board members can also be exposed to shareholder actions for breach-of-duty if a cyber risk is not mitigated and a cyber incident causes a drop in the share price.

Senior managers need to understand the risks and the potential liabilities they face as a result of cyber risk and get engaged not only in prevention but also in the crisis management role once an incident has occurred. Senior management must understand:

  • Their role during a cyber security incident.
  • The cyber risk that the company is facing.
  • If the appropriate cyber security and risk mitigation measures have been put in place to deal with the cyber risk that has been identified.

A Willing Technology and Information Security Department

Having willing Technology and Information Security departments participating in a cyber exercise cannot be understated. If you’re not careful, this exercise can turn into a high-stakes game for the Technology and Information Security departments and, in particular, Technology management. After all, “the problem” is happening in their shop. And some people might look at them with a “Why did you let this happen?” look. Therefore, they have to be willing to go along with the scenario, and you might have to provide them cover.

The Technology and Information Security Departments need to provide you with people who can design the “air-tight” storyline. This Technology Exercise Design Team will be essential in spelling out how the supposed breach occurred. They are being asked to expose the company’s soft underbelly, disclose possible weaknesses, and then help drive the spear into them. This may make them nervous.

I personally think about this as a fabulous opportunity for everyone in the company to learn and appreciate the ever-growing complexities that the IT team faces. Only when all of the issues are out in the open, solutions can be found. If fixes aren’t possible, then discovering workarounds and ways to tighten response and impact plans are good to know.


Building senior and technology management engagement is critical in an exercise with this scenario. Begin at the top first, build commitment and buy-in, and you will be off to a great exercise design start.

To read more about all of the aspects of Cyber Breach Exercise Design, find my new book-

Cyber Breach: What if your defenses fail? Designing an exercise to map a ready strategy
On Amazon by Clicking Here


Regina Phelps, CEM, RN, BSN, MPA is the Principal with EMS Solutions, Inc. She is an internationally recognized expert in the field of emergency management and continuity planning. Since 1982, she has provided consultation and educational speaking services to clients in four continents. She is founder of Emergency Management & Safety Solutions, a consulting company specializing in incident management, exercise design, and continuity and pandemic planning. Clients include many Fortune 500 companies. Ms. Phelps is a frequent top-rated speaker at well-known conferences such as the Disaster Recovery Journal, CP&M, and the World Conference on Disaster Management. She is frequently sought out for her common sense approach and clear, clean delivery of complex topics.