The U.S. military views cyberspace as a critical domain it must protect — similar to air, sea, and land. It regularly conducts war games to expose and eliminate risks to data and networks and to test its cyber defense tactics and strategies. As part of that effort, the military and other government agencies, including the U.S. Department of Homeland Security, have launched “bug bounty” programs that reward so-called ethical hackers (people hired by organizations to hack into their computer systems) for identifying and repairing potential vulnerabilities.
Companies face many of the same cyber risks as military and government agencies, and many of them are investing in similar capabilities to protect themselves. Goldman Sachs, for example, plans to put more than 8,000 developers through a gamified cybersecurity training program to help them gain a deeper understanding of attacker psychology and the range of countermeasures they might take. During this program, teams will compete against one another in games that feature more than 300 risk scenarios to develop and hone skills in malware analysis, digital forensics, and ethical hacking. Other companies, such as Intel, are taking steps to identify problems early — for example, offering rewards as high as $250,000 to security experts who identify vulnerabilities in their products. Such open invitations to engage hackers have helped organizations uncover and address real risks.
Increasingly, cyber exercises are becoming standard elements of corporate risk mitigation and resiliency efforts. In this article, we will describe some of the exercises companies are employing. They include “tabletop exercises,” which are designed to help executives envision how they would handle different risk scenarios; “red team exercises,” which are designed to ferret out weaknesses through contained attacks conducted internally to see how cybersecurity teams respond; as well as engaging ethical hackers to test an organization’s cybersecurity defenses.
Get Updates on Innovative Strategy
The latest insights on strategy and execution in the workplace, delivered to your inbox once a month.
Please enter a valid email address
Thank you for signing up
Tabletop exercises are carefully planned events that simulate actual cyberattacks, thereby helping organizations identify specific vulnerabilities and define processes, procedures, and individual responsibilities needed to make systems secure. However, it’s important to note that tabletop exercises aren’t just about “defending the castle” against attacks; they can also teach a company’s leaders to manage through the attack and after the attack to remediate damage. In a way, the exercises serve as an X-ray into the organization’s cyber weaknesses.