Most leadership teams I meet have some kind of security report. Maturity scores. Green and amber fields. A summary that gets refreshed before every board meeting.
It usually looks good. Structured, easy to read, clear about what’s moving in the right direction. But when something actually breaks, it rarely helps.
Because when the alarm goes off at 02:14 on a Friday, the question isn’t what the report showed last month or what’s on a checklist. The question is:
- Who decides we go public?
- Who calls the regulator, and how fast do we have to do it?
- What do we do if the supplier goes silent for six hours?
- Who talks to the press while the lawyers are still digging through the contracts?
It’s not in the report. It’s nowhere.
Informed isn’t the same as prepared
There’s a comfortable illusion in many leadership teams. Because they get updates, they feel informed. And because they feel informed, they assume they’re ready.
But information is the raw material for decisions. It isn’t the decision itself. A leadership team that has only seen numbers has never been tested in the situation where the numbers don’t help.
An untested leadership team makes its first real incident decision at the same time as it handles its first real incident. That’s a bad time to learn.
What the report doesn’t measure
No maturity report I’ve ever seen has answered these questions.
Decision authority under time pressure. Who owns the call to take the customer-facing system offline? The CEO, the CIO or the security lead? And if that person doesn’t respond within fifteen minutes, who takes it then?
External communication. What’s our first press statement, and who writes it? In which languages do we publish if customers are spread across several countries? Who’s the spokesperson if the CEO is on a flight?
Regulatory notification. The Swedish Cybersecurity Act gives 24 hours for an initial report to MCF. GDPR gives 72 hours for a personal data breach notification to the regulator. Who keeps track of which clocks are ticking in parallel?
Supplier dependence in a crisis. When a critical supplier is the source of the incident, who makes the call? Who asks the right questions? Who decides whether to switch suppliers in the middle of an active incident?
These are questions that can’t be answered by reading more reports. They get answered by being worked through in an exercise.
A sharp exercise, two hours
The proposal is simple. Swap one of the year’s status updates for a sharp exercise.
Two hours in a room. The whole leadership team, not just the CIO and the security lead. A scenario that mirrors the organisation’s actual risk picture. An external facilitator who keeps the pace, drops in new events and doesn’t let the room circle the same point.
The clock is running. Decisions have to be made before all the information is in. Press queries land. The regulator calls. A customer leaks to a journalist. The board chair wants an update. All at once.
That’s where you find out what actually works and what only looked good on paper.
What the exercise teaches you that the report doesn’t
Where the decision chain breaks. On paper the responsibility map looks logical. In the exercise it shows when two people each think the other is making the call, or when no one wants to take it.
How communication holds up under pressure. It quickly becomes clear who turns terse, who starts improvising, and who can’t make a decision without ringing two other people first.
Where the unrehearsed roles sit. The legal counsel who has never spoken to a regulator. The HR director who doesn’t know whether informing staff requires union consultation. The communications lead who discovers they have no prepared tone of voice for a cyber crisis.
How long the decision paths really are. On paper an escalation might take ten minutes. In practice it turns out to take forty, because the right person is in another meeting and no one dares interrupt.
None of that shows up in a maturity score. All of it becomes obvious in two hours.
It’s the board’s job to practise, not just to read
The Cybersecurity Act requires the leadership body to take active responsibility for cybersecurity work and to undergo training. For private operators, non-compliance can carry personal consequences. The regulator can seek a ban on a person holding a leadership role.
Going through a training course isn’t enough. Reading a report isn’t enough. The proof that leadership can actually act is when it has acted, even if it was in an exercise.
This isn’t only relevant for organisations covered by the law. The law won’t protect your business, and a leadership team that has practised makes better decisions even when no regulation forces them to.
How to actually get started
You don’t need a big production. Three things are enough.
A realistic scenario. Not a textbook ransomware drill, but something that mirrors your organisation. A municipality? Then the scenario might be an outage in the financial system on payday. An industrial business? Then it might be a breach at a critical supplier that disrupts production.
The whole leadership team in the room. CEO, CFO, communications, HR, legal. The security and IT leads aren’t enough. The people who will make the calls on the day it happens should be at the table during the exercise too.
A facilitator willing to push. Whoever runs the exercise should not be an internal colleague who wants everyone to look good. They should be able to introduce uncomfortable questions, challenge assumptions and keep the pace up even when the room wants to stop and think.
Two hours. Once a year. That’s the minimum.
As we noted in Security that isn’t communicated is security that doesn’t exist: it’s not enough to send the message. The recipient has to be able to act on it. The exercise is the proof that they can.
When did your leadership team last practise?
If the answer is “we have an updated crisis plan”, that doesn’t count. Having a plan and having practised the plan are two different things.
If the answer is “we walked through it in a workshop last year”, that barely counts. A workshop tests understanding, not decision-making.
If the answer is “we’ve never done it”, that isn’t a failure. It’s a starting point. The simplest and most valuable improvement a leadership team can make to its cybersecurity is to book the first exercise.
Before the alarm goes off at 02:14 next Friday.
Need help designing a sharp leadership exercise that mirrors your real risk picture? Contact us for a complimentary assessment.
More insights
Related articles
What was right yesterday isn't right today
Europe isn't stuck with the hyperscalers by force. We made good decisions and stopped reconsidering them. NIS2, DORA and the Cybersecurity Act now make reconsideration a formal duty.
Compliance cost isn't a technology problem. It's governance debt.
European companies spend ~€150 billion a year on regulatory compliance. AI won't speed that up if governance is missing.