Why CISOs are doubling down on cyber crisis simulations

Cyber threats aren’t going away, and CISOs know prevention isn’t enough. Being ready to respond is just as important. Cyber crisis simulations offer a way to test that readiness. They let teams walk through real-world scenarios in a controlled setting, exposing gaps and showing what needs work. It’s a practical way to strengthen response plans before a real attack hits.

Budgets are up, and so is pressure

A recent survey by Hack The Box shows that 74% of CISOs plan to increase annual budgets for cyber crisis simulations this year, driven by a wave of high-profile incidents in 2024. Many organizations found their response processes broke down when tested by real-world attacks. The result: missed alerts, slow decisions, bad communications, and reputational damage.

“Poorly managing public opinion can affect revenue, stock prices, reputation and customer relations. Conducting organization-wide cyber simulations is a way for the business to prove they did everything possible to be prepared,” explained Dan Potter, Senior Director, Cyber Drills & Resilience at Immersive.

Simulating the whole business, not just IT

A breach impacts more than systems. It affects customers, partners, and regulators. That means business leaders need to be involved in simulations.

The most effective simulations now include full executive participation, often using platforms to model end-to-end crises. Some platforms allow CISOs, legal, CFOs, and PR teams to walk through a breach scenario in real-time, making decisions under simulated pressure. These exercises test not just systems but also company culture and coordination.

Don’t ignore the human side

Crisis simulations also provide a chance to observe how teams work under pressure. They should be used to test processes, spot stress points, and support resilience. High-performing teams trust each other and communicate well under pressure.

Burnout among security analysts is a growing concern, especially in busy SOC environments. Long hours, constant alerts, repetitive tasks, and high-stress levels take a toll over time. The impact shows up in both physical and mental health — fatigue, headaches, trouble sleeping, anxiety, and even depression. For CISOs, this isn’t just an HR matter. It’s a threat to the team’s performance and long-term strength.

Some organizations now embed mental health awareness and workload checks into their crisis playbooks. For CISOs, that’s a shift in mindset: success isn’t just fast response but sustained performance over time.

“Cybersecurity teams are under immense pressure, knowing that the next breach may be just around the corner. This level of stress can impact the ability of teams to respond efficiently when a crisis arises. To improve crisis response, organizations should make it a point to consider mental health in their crisis planning, acknowledging that increased stress and burnout can compromise the overall performance of security teams,” says Haris Pylarinos, CEO at Hack The Box.

“It is critical for CISOs to take a holistic approach when it comes to the workforce development strategy. Stress, burnout, and mental health in cybersecurity continue to be at an all-time high. Providing teams with regular training, holding debriefing sessions, and assisting in identifying burnout symptoms during and after training exercises can help teams become more resilient and confident,” Pylarinos concluded.

Benefits of conducting simulations

• Identifying weaknesses: Simulations expose technical defenses and human response gaps, allowing organizations to address vulnerabilities proactively.
• Enhancing coordination: They foster better department collaboration, ensuring a unified response during incidents.
• Building confidence: Regular exercises build muscle memory, enabling teams to respond swiftly and effectively under pressure.
• Regulatory compliance: Many industries require regular testing of incident response plans; simulations help meet these compliance standards.

“It was once enough to theorise risk identification through using risk matrixes and lodging them in a spreadsheet describing threats and their likelihood of materialising,” says Aaron Bugal, Field CISO, APJ at Sophos. “However, looking at the impact caused by ransomware and subsequent extortion demands sending executive teams and board members into a spin, highlights the lack of understanding of how pervasive cyber criminals are and the opportunities they take.”

To move beyond theoretical planning, Bugal advocates for breach simulations as a practical step forward. “A simulation of a breach will allow you to draw out the concise and well-measured response actions that are demanded by you and your organisation,” he explains. Bringing together a cross-section of executives helps uncover gaps in readiness. “Physically sitting with a cross section of executives, board members, human resources, IT, security, legal and public relations will ilk out the procedures, responsibilities and resources needed to respond with efficacy.”

By running these exercises in advance, organizations can avoid the chaos of real-time crisis management. “Simulations provide a structured approach to build and refine a breach response while playing it out and discovering where improvements are needed,” Bugal adds, “rather than learning and panicking whilst under the pressure of an active attack.”

How to run a simulation that works

To maximize the benefits of cyber crisis simulations, consider the following strategies:

1. Develop realistic scenarios: Craft scenarios that reflect current threat landscapes and are relevant to your organization’s operations.

2. Engage cross-functional teams: Include members from IT, legal, communications, and executive leadership to ensure a comprehensive approach.

3. Set clear objectives: Define what you aim to achieve with each simulation, whether it’s testing a specific protocol or improving interdepartmental communication.

4. Incorporate real-world tools: Utilize platforms that offer realistic, hands-on experiences. For example, certain simulators enable management teams, including CEOs, CFOs, CISOs, and legal departments, to collaborate in real-time during a simulated cyber crisis, enhancing decision-making skills and testing crisis response playbooks.  

5. Debrief and iterate: After each exercise, conduct a thorough debriefing to discuss what worked, what didn’t, and how processes can be improved.

Debbie Gordon, CEO of Cloud Range, emphasizes that a successful cyber crisis simulation hinges on a few key elements that CISOs often overlook. First, defining roles clearly across all team members is critical. Each participant should know their responsibilities in advance, from the security team to the communication experts, so there’s no ambiguity when a crisis hits. Second, make the simulation as realistic as possible. Simulations shouldn’t be sanitized or toned down for comfort—they need to reflect the complexities of a real-world breach. If a participant is only given half of the facts or feels they can ‘skip’ actions because it’s a drill, the exercise loses its value. Third, CISOs must ensure there’s no room for complacency. Avoid the mindset of “it’s not real, so we don’t need to act like we would in a real crisis.” Every action should be taken with the same urgency and rigor. Finally, ensure there are actionable results and follow-up. The value of a simulation lies in the lessons learned. Afterward, conduct debriefs, track improvements, and refine incident response plans to ensure the next crisis response is more effective.

In a crisis, coordination beats luck

CISOs don’t control when incidents happen. But they can control how ready their teams are to respond.

Cyber crisis simulations won’t prevent attacks — but they will shape the outcome. With the right design, frequency, and participation, simulations can turn chaos into coordination. And in 2025, coordination is everything.