If cyber war games sound like your idea of fun, then this is the conversation for you! We're speaking with Sarah Gosler, the global head of Cyber Threat Simulation and the Engineering chief of staff at BNY Mellon. Sarah manages BNY Mellon's Office of the CIO and is responsible for cyber-attack-simulation training.
Watch this episode of A Little Privacy, Please!®
What are cyber war games, and how do they differ from traditional data security training?
War games are exercises originated by the military to teach a strategic understanding of optionality and measured impacts. Today, in the case of BNY Mellon, war games are interactive and experiential training exercises, which means that the people playing them are active and immersed in a training experience. It allows the players and the facilitators to discover organic insights that ensure we're prepared as much as possible in the event of an issue. And because they're immersive, it means they have varying outcomes. So no game will ever be played the same, which is exactly the point of what we want coming out of them.
The games themselves are really detailed. There's extensive planning because we need to make sure that we get it right. But they're also designed and created as a safe-to-play environment, which means permissive training that allows us to practice responses. In the event of an actual incident, it's definitely not as safe to fail; we need to be prepared. And it helps us explore what works and what doesn't work, and, in our opinion, it's a great tool enhancing our response to the complex and certainly evolving cyber landscape.
An interesting stat for you, too, as it relates to war games, is studies done on experiential learning show that people that go through experiential learning exercises have about a 90% retention rate on learning as opposed to more traditional classroom instruction.
From a benefits perspective, few better come to mind. So, first and foremost, war games allow us to find previously unknown factors that we wouldn't be aware of unless we did it and played it out. And by rehearsing real incidents, we're able to derive greater collaboration across teams that come together when a real incident occurs. So, if we've been in games as a team, where people may not have even met each other before—but if faced with a cyber event, they would suddenly be forced to work together—by the end of the game, after going through it, now you know your neighbor, you know the person you would be in the proverbial foxhole with to solve an event together. It's like post-COVID-19, coming back against the world together. Being in the same room does a ton for bringing people together. And then, lastly, it's about muscle memory. When you actively do something, go through it in a safe environment, and then face the same in a real environment, the hope is that you'll come out much better because you've at least seen it before; it's more familiar.
What types of employees do you recommend participating in cyberwar game exercises? How do these games benefit them?
War games are for the entire employee population. The type of game will determine how to target it. So as an example, a more traditional war game, what other people would think of as a tabletop exercise, brings together executive committee level, board of director level folks—typically around 20 to 25 people—in a room for a traditional exercise. But then you have what we call our cyber decisions and actions game, which could be anywhere from 10 people to whatever the team's limitation, covering the entire population. It's really important that you're starting not only at the top down but also all the way to the bottom and across the entire population. From our perspective, employees are the first line of defense when it comes to preventing a cyber incident, so we think about their cyber decisions and actions and what type of training is needed. We make a really big effort to ensure that our entire population goes to training and we're prepared.
How often are you running these exercises, and how many employees would participate in a given session?
In the last six months, we've built out a war game team scaled with help from former military and law enforcement facilitators we brought in to help. These methods have been proven out for hundreds of years with military folks. We're on track to cover more than 100 games in 2023 and about 5,000 people across the organization, depending on the type of game—if it's a smaller tabletop exercise, it's anywhere from 20 to 25, and if it's the cyber decisions and actions game, it can be upwards of 900.
How do you measure the effectiveness of these war games? Have you noticed any meaningful changes in the attention given to data security as a result of these games within the organization I'm speaking of?
In Cyber war games, we take the stance: "It's not an if; it's a when." Especially as a globally significant financial institution, we're often a focal point for the attacker community. These exercises in our community have resulted in great feedback and a range of enhancements to our control environment in the cyber security area. One of the things that we have is a well-developed lesson identification process that ensures we're able to close the training loop , incident response enhancements are identified, and response actions are taken in demonstrable ways.
What initial steps could somebody take to initiate a cyber war game program?
Anyone in any company organization can start this with tabletop exercises, being very clear on the objectives you want out of it. Are you going to practice incident response? Do you want to practice a communications plan? Write the scenario based on the objectives. A pitfall for folks doing war games that may be experienced in them is that they focus too much on the scenario itself and lose sight of the training objectives. So, it's really important to start there.