At the X-Force Command Cyber Range in Cambridge, Massachusetts, we’ve seen hundreds of companies practice their response to a simulated cybersecurity attack. Teams from some of the world’s top intelligence and law enforcement agencies and financial institutions, and from a variety of industries from energy to technology, have trained in various scenarios in our range, which is modeled after a fusion team security operations center (SOC). These are all highly competent people, but many of them struggle in our breach challenges.

When we opened the Cyber Range, we knew our experts would be training security professionals in technical skills with hands-on-keyboard exercises. What we didn’t anticipate was the massive demand for the type of training we offer for those outside of the SOC. That’s why we strive to teach business leaders how the whole organization should respond to an event that affects every level of the business.

A Different Kind of Decision-Making Process

What we’ve learned from watching these teams of executives, board members and other leaders is that people need the most help when dealing with what comes after a breach — what we call “right of boom.” Many leaders come out of business school having studied a decision-making process that is slow, deliberate and based on mountains of data. But you don’t have that luxury after a breach — you are working against a ticking clock and with incomplete information. You have to learn a more military-style decision-making process, where you stand up an incident command team, designate a commander who is in charge, start walking down a runbook that’s been predetermined, and make hard decisions without hesitation.

Classroom-style learning, tabletop exercises and even talking to security leaders who’ve been through the experience of a breach aren’t enough to prepare you for the intensity of a rapidly changing situation where the survival of your business is on the line. You need to experience it yourself. That’s where the X-Force Command experience is different from other kinds of preparation, and even the other cyber ranges out there.

Our technical advisors and gamification experts have mastered the art and science of creating an experience that feels like a real breach. When the phones start ringing and you’re forced to react when the action is coming at you fast, there is a palpable sense of pressure. Going through this experience shows people what they’re made of, helps them learn how to respond in a stressful situation, and highlights where they need to improve their decision-making capacity.

In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next. That’s when your training and muscle memory kicks in and you execute your plan.

3 Takeaways From the X-Force Command Cyber Range

In the past couple of years, my team has learned a lot, too, about how to build the X-Force Command experience into a laboratory of cyber best practices. With more than 2,000 customers that have come through the range, we can share what some of the world’s most mature customers are doing to stay one step ahead of threats. We help teams conduct a gap analysis based on business key performance indicators (KPIs), and we teach you what a full business response looks like, both before and after an incident.

Below are three common themes we’ve noticed that tend to have a big impact on whether teams are successful in the range.

1. Culture Counts

Your company culture makes a big difference in how well you perform in a crisis. Some cultures are more inclined to run toward a problem, and those that do tend to fare better. It takes a cohesive unit and a common understanding in which people know their roles, but aren’t afraid to speak up or take charge when the time is right.

2. Playbooks Crack Under Pressure

Having a playbook is just the beginning. In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next. That’s when your training and muscle memory kicks in and you execute your plan. If you don’t practice it, you are exposed to an avoidable disadvantage.

3. Leadership Matters

Last but not least, you need leaders. Sometimes those leaders are not your executives. More often it’s someone who has done a tour in Iraq or Afghanistan or has spent time as an EMT. Some kinds of leadership can be taught in a classroom, but the true test of leadership happens in the arena. Leaders thrive in tough situations, and every tough situation needs leaders. If you’re like many organizations struggling to find qualified talent to fill empty cybersecurity chairs, you might need to look beyond the traditional places. Recruit and train leaders.

What’s Next: The X-Force Command Cyber Tactical Operations Center

There has been such tremendous demand to visit our X-Force Command Cyber Range that we decided pretty early on that we would need to expand our operations. But rather than trying to choose a location for customers to come to us, we want to bring the X-Force Command experience to you. This week, we reached the culmination of a months-long project to do just that, and I’m so excited to launch our new IBM X-Force Command Cyber Tactical Operations Center (C-TOC).

The X-Force Command C-TOC is a mobile command center, modeled after the tactical operation centers used by the military and first responders, but with a singular focus on cybersecurity. It’s the industry’s first mobile cyber range and watch floor — and it’s a technical wonder. To fit all the equipment necessary for an X-Force Command experience, the 23-ton trailer expands to more than twice its width. The whole thing is powered by a 47 kilowatt generator, allowing us to create an entire IT environment on a 100 TB VMware solid-state disk array. It’s easy to be impressed by the C-TOC’s size and appearance — like something straight out of a “Transformers” movie — but form really follows function.

Building on the mission of the Cyber Range, the primary goal of the C-TOC is to give more customers access to the cutting-edge simulations and response training we’ve developed from our experiences in Cambridge. However, the mobility of the C-TOC opens up many additional possibilities, such as education with students and the public, and even helping with cybersecurity efforts on-site at major events.

Check out the X-Force Command C-TOC website to learn more about why we built it and what it can do.

https://www.youtube.com/watch?v=U_4fZ6wYQFw

Take a closer look

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today