When cyber incidents hit, the spotlight almost always shines on IT and security teams. However, Immersive’s latest research reveals a major blind spot regarding the role of non-technical teams such as HR and legal in a cyber crisis.
In the eyes of Dan Potter, VP Cyber Resilience at Immersive, high-stakes business responses should run in parallel to technical remediation, guided by clearly defined responsibilities and well-rehearsed playbooks. He believes there must be a collaboration across the entire organisation, with both technical and non-technical teams working together to apply their respective understanding and perspectives to a problem that quickly adapts and evolves.
We speak with Dan about why representatives from business operations and non-technical departments like HR, legal, communications need a seat at the table during cyber simulations. He explains how mapping and practicing decision handoffs can improve resilience, and why role-swap drills can build empathy and improve cross-functional coordination under pressure.
Why is the exclusion of non-technical teams from cyber crisis training such a significant security oversight?
When it comes to conversations about cyber readiness, the primary focus is often technology – firewalls, detection tools, AI-driven threat analysis, and so on. That is all important, but it represents just part of the bigger picture.
The reality is that today, 68% of breaches involve human error. Attackers go after people, because it is people that are often the Achilles heel. With that in mind, the teams themselves should be front and centre of every organisation’s security preparation.
That includes departments like HR. Not only will these employees be at risk of human error. Equally, this is a department that sits at the heart of how a business communicates, supports employees, and manages internal processes during crises. If they’re not up to speed on the pressures that cyber incidents bring, and their role in helping to manage them, then that will lead to fault lines in an organisation’s response.
Think about it: if those teams responsible for handling the human side of an incident haven’t rehearsed, that disconnect will quickly become visible when pressure hits.
Should non-technical teams be involved in simulations, rather than just sitting in on post-mortem reviews?
They should, for good reason. Non-technical teams are in charge of some of the most sensitive and urgent decisions during a breach. Consider employees concerns during a data breach – what data was accessed? Was any personally identifiable information of financial data stolen? HR can be required to support individuals that have been directly impacted, as well as managing insider threat concerns.
It’s also valuable to look at a technical breach with a non-technical eye to give the impact of an incident full business context. This includes external factors too – an organisation might handle a cyber crisis well from a technical perspective, but if it fails to manage the ‘court of public opinion,’ the impact can be just as damaging as a technical failure.
In the heat of the moment, unverified data, rumours, or misinformation can spread quickly, both internally and externally. This can make an incident seem worse than it is, sparking panic among stakeholders and causing unnecessary reputational damage.
Involving non-technical teams in simulations will ensure that they are fully clear on their responsibilities in a crisis and how to deal with it. Basic cyber training is helpful, but it can be too detached from the chaos of a real incident. Cyber drills, by contrast, immerse non-technical employees, helping them to build the confidence to act swiftly and decisively should an attack hit.
Having teams like legal and HR get a flavour of that uncertainty can pay dividends in ensuring an effective cyber response across all departments. Equally, that is something that a post-incident review or basic cyber training alone cannot recreate.
Why is mapping and rehearsing decision handoffs during drills important?
Much like a relay baton, decision handoffs can make or break a cyber response. They define exactly when and how information and responsibilities move from one team to another, ensuring that the right protocols are followed and the right actions taken by the right people. You’re ultimately trying to build muscle memory.
This is not the sole responsibility of IT departments, or cyber or business continuity teams. Cyber crises are business crises that need to be managed through coordinated response across departments from legal to communications to executive leadership. The actions of these teams are just as crucial as those of your technical responders, and factoring this in is how you build the resilience that your organisation needs.
Consider HR. When technical teams isolate a compromised account, HR teams may need to follow up with the affected employee, handling the internal communications and advising on policy implications. If these responsibilities aren’t clearly understood ahead of time, then it can create confusion and add fuel to the flames.
Including non-technical teams in simulations can ensure these handoffs are rehearsed. Not only that, but measuring the speed at which teams respond, how accurately they interpret each other’s decisions and how effectively they escalate (or deescalate) issues can feed directly into an organisation’s resilience score.
Those metrics can provide the basis for informed improvements, something that few organisations are able to action currently. Indeed, while 90% of organisations feel their cross-functional communication between technical and non-technical teams is effective, only 41% of organisations include non-technical roles in their cyber simulations.
A 29-hour average containment time is not just a technical failure. It is a symptom of decision-making bottlenecks, unpractised handoffs, and siloed teams that must be addressed with responsibility mapping and handoff rehearsal.
What are role-swap drills, and how can they help build cross-functional empathy to support cyber response strategies?
Role-swap drills involve non-technical teams taking on security roles in a simulation to see how complex and time-sensitive their roles can be. This context switch gives other departments first-hand insight into the pressures facing frontline security staff, outlining how they need to manage conflicting security alerts, or act without a perfect picture of potential threats.
Many family-owned companies adopt policies in which new family entrants are asked to work their way up through the company. Firsthand insight can ensure future executives have a clear understanding and appreciation of challenges and efforts of each department.
The same logic applies in role-swap drills. They’re designed to build cross-functional empathy and reduce friction during a crisis. HR teams will better understand why security teams sometimes seem abrupt or cautious. Meanwhile, security teams will see just how much legal, regulatory and emotional pressure there is on HR teams.
The biggest difference is cohesion. When each team appreciates the constraints that the other is operating under, it makes for a stronger overall organisation in crisis moments.
Those companies that can establish that mindset, ensuring non-technical employees are adequately trained as planned participants in cyber responses through simulations and role-swap drills, will be better placed to respond more quickly and effectively in the face of threats.
