At the X-Force Command Cyber Range in Cambridge, Massachusetts, we’ve seen hundreds of companies practice their response to a simulated cybersecurity attack. Teams from some of the world’s top intelligence and law enforcement agencies and financial institutions, and from a variety of industries from energy to technology, have trained in various scenarios in our range, which is modeled after a fusion team security operations center (SOC). These are all highly competent people, but many of them struggle in our breach challenges.

When we opened the Cyber Range, we knew our experts would be training security professionals in technical skills with hands-on-keyboard exercises. What we didn’t anticipate was the massive demand for the type of training we offer for those outside of the SOC. That’s why we strive to teach business leaders how the whole organization should respond to an event that affects every level of the business.

A Different Kind of Decision-Making Process

What we’ve learned from watching these teams of executives, board members and other leaders is that people need the most help when dealing with what comes after a breach — what we call “right of boom.” Many leaders come out of business school having studied a decision-making process that is slow, deliberate and based on mountains of data. But you don’t have that luxury after a breach — you are working against a ticking clock and with incomplete information. You have to learn a more military-style decision-making process, where you stand up an incident command team, designate a commander who is in charge, start walking down a runbook that’s been predetermined, and make hard decisions without hesitation.

Classroom-style learning, tabletop exercises and even talking to security leaders who’ve been through the experience of a breach aren’t enough to prepare you for the intensity of a rapidly changing situation where the survival of your business is on the line. You need to experience it yourself. That’s where the X-Force Command experience is different from other kinds of preparation, and even the other cyber ranges out there.

Our technical advisors and gamification experts have mastered the art and science of creating an experience that feels like a real breach. When the phones start ringing and you’re forced to react when the action is coming at you fast, there is a palpable sense of pressure. Going through this experience shows people what they’re made of, helps them learn how to respond in a stressful situation, and highlights where they need to improve their decision-making capacity.

In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next. That’s when your training and muscle memory kicks in and you execute your plan.

3 Takeaways From the X-Force Command Cyber Range

In the past couple of years, my team has learned a lot, too, about how to build the X-Force Command experience into a laboratory of cyber best practices. With more than 2,000 customers that have come through the range, we can share what some of the world’s most mature customers are doing to stay one step ahead of threats. We help teams conduct a gap analysis based on business key performance indicators (KPIs), and we teach you what a full business response looks like, both before and after an incident.

Below are three common themes we’ve noticed that tend to have a big impact on whether teams are successful in the range.

1. Culture Counts

Your company culture makes a big difference in how well you perform in a crisis. Some cultures are more inclined to run toward a problem, and those that do tend to fare better. It takes a cohesive unit and a common understanding in which people know their roles, but aren’t afraid to speak up or take charge when the time is right.

2. Playbooks Crack Under Pressure

Having a playbook is just the beginning. In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next. That’s when your training and muscle memory kicks in and you execute your plan. If you don’t practice it, you are exposed to an avoidable disadvantage.

3. Leadership Matters

Last but not least, you need leaders. Sometimes those leaders are not your executives. More often it’s someone who has done a tour in Iraq or Afghanistan or has spent time as an EMT. Some kinds of leadership can be taught in a classroom, but the true test of leadership happens in the arena. Leaders thrive in tough situations, and every tough situation needs leaders. If you’re like many organizations struggling to find qualified talent to fill empty cybersecurity chairs, you might need to look beyond the traditional places. Recruit and train leaders.

What’s Next: The X-Force Command Cyber Tactical Operations Center

There has been such tremendous demand to visit our X-Force Command Cyber Range that we decided pretty early on that we would need to expand our operations. But rather than trying to choose a location for customers to come to us, we want to bring the X-Force Command experience to you. This week, we reached the culmination of a months-long project to do just that, and I’m so excited to launch our new IBM X-Force Command Cyber Tactical Operations Center (C-TOC).

The X-Force Command C-TOC is a mobile command center, modeled after the tactical operation centers used by the military and first responders, but with a singular focus on cybersecurity. It’s the industry’s first mobile cyber range and watch floor — and it’s a technical wonder. To fit all the equipment necessary for an X-Force Command experience, the 23-ton trailer expands to more than twice its width. The whole thing is powered by a 47 kilowatt generator, allowing us to create an entire IT environment on a 100 TB VMware solid-state disk array. It’s easy to be impressed by the C-TOC’s size and appearance — like something straight out of a “Transformers” movie — but form really follows function.

Building on the mission of the Cyber Range, the primary goal of the C-TOC is to give more customers access to the cutting-edge simulations and response training we’ve developed from our experiences in Cambridge. However, the mobility of the C-TOC opens up many additional possibilities, such as education with students and the public, and even helping with cybersecurity efforts on-site at major events.

Check out the X-Force Command C-TOC website to learn more about why we built it and what it can do.

Take a closer look

More from Incident Response

How to Start a Career in Cyber Incident Response

Cyber incident response is one of cybersecurity's most interesting and rewarding careers. It’s an in-demand role, and it pays well. But how do you get started? First, let’s start with the basics. What is Cyber Incident Response? Cyber incident response is the preparation for and practice of identifying, containing and ending cyber attacks. A computer security incident response team (CSIRT) within an organization — ideally including the chief information security officer, security operations center staff, executives and representatives from the…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…