Why Cyber Exercises must go beyond IT

October 6, 2025
Post
BY Grant Chisnall

We’re deep into Crisis Exercising Season, with a record number of scenarios running up to Christmas. While there’s been a welcome shift toward more operationally focused exercises, cyber remains the dominant theme—and it continues to expose a critical flaw: organisations still treat cyber incidents as purely technical problems. In reality, cyber risk is a business risk, and this disconnect is more than a missed opportunity—it’s a serious vulnerability. 

🚨 Cyber Risk Is a Business Risk 

A cyber attack doesn’t just affect IT systems – it can halt operations, affect data, disrupt supply chains, damage reputations and erode trust. These are business impacts that need business solutions.

Yet when a cyber crisis hits, all eyes turn to IT. That’s like asking the fire brigade to handle your legal, PR, and customer fallout during a blaze. IT’s job is to contain the threat. It’s the business—executives, legal, comms, operations—that must manage the consequences. 

🔍 The Illusion of Preparedness 

Cyber exercises are meant to test resilience, but too often, they’re designed by IT teams, for IT teams. They focus on playbooks, firewalls, threat detection, malware containment, and system recovery—important, but narrow. 

The result is a false sense of security. The organisation thinks it’s ready, but only the technical playbook has been tested. 

The Challenge of Realism 

Designing realistic cyber exercises is tough. It demands: 

Cross-functional involvement 

Legal, HR, comms, finance, and ops must be in the room—not just IT. 

Relevant scenarios 

Exercises must reflect real threats and business-specific vulnerabilities. If they don’t speak to strategic impacts, execs will disengage. 

Authentic intensity 

Over-scripted exercises don’t reflect the chaos of a real event. Leaders need to feel the pressure. 

Decision-making under fire 

It’s not just about restoring systems—it’s about prioritising, communicating, and recovering under stress. 

Cultural readiness 

Many execs are uncomfortable with ambiguity and tech jargon. Exercises should bridge that gap, not widen it. 

🧠 Shifting the Mindset 

To build true cyber resilience, organisations must rethink their approach: 

🔄 Cyber scenarios need to be less about the technical cause, and more about the business impact