We ran a war-room simulation built around a pretend incident and split into teams with assigned roles. Each group had a CEO, CISO, Legal, and Public Relations lead, and I served as the CISO. The exercise was a high-level tabletop, but it felt realistic because every decision had tradeoffs across operations, messaging, and legal exposure.
The scenario started with social engineering. An attacker convinced an employee to plug in a spare server that still had critical vulnerabilities. That foothold let the attacker move laterally and deploy ransomware across multiple systems. The pace picked up fast once the blast radius expanded, and we had to balance containment with keeping the business running.
As the CISO, my focus was on the recovery path and the preventative controls we would need to stop a repeat. We discussed the immediate steps to stabilize operations, how to prioritize restores and clean rebuilds, and what evidence we would preserve while coordinating with Legal and PR. Longer term, we weighed controls like asset inventory, stricter hardware intake, network segmentation, and employee training against cost and implementation time.
The exercise also added a game element: the faster we finished our planning and reporting, the more credit we earned. That pressure forced us to make decisions with partial information, keep documentation concise, and align quickly with the rest of the team. It was a useful reminder that incident response is as much about communication and momentum as it is about technical fixes.
My biggest takeaway was the importance of a CISO who is willing to push for strong preventative measures to reduce cyber risk, even when that means hard tradeoffs. Just as important is accountability: a CISO has to own failures, respond quickly, and make smart, decisive calls under pressure.