Building comfort in chaos: Preparing leaders to perform during a cyber crisis

Published by Alex Heidenreich, Executive Director Cyber Capability, Education and Training (CCET) on 5 June 2025

As a commander in the Australian Special Air Service Regiment (SAS) my role was to solve complex adversarial problems. In that role I learnt the following guiding principles:

• When leading teams against complex adaptive threats, you must be comfortable in chaos; and
• The one thing we’ve reliably predicted about future threats is our own inability to predict them accurately. The ability to lead with agility is just as important as having well-defined plans and processes.

Those observations remain as relevant in my cyber security work today as they did in the kinetic (physical) domain. Importantly, they point to what sits at the heart of executive and board cyber exercises: resilient leadership under duress.

Building this leadership capacity doesn’t replace the need for cyber security incident response plans (CSIRPs) or crisis communication plans – it activates them.

An executive cyber security exercise is a scenario-based experience that brings together key stakeholders to walk through their roles during a fictional, but plausible, incident. Plausible in this context means proportionate and aligned with a real-life cyber incident – it’s in these scenarios that there is most value exercising. The exercise is a facilitated discussion, not a technical test, designed to surface assumptions, clarify responsibilities, and strengthen an organisation’s ability to respond in real time.

Cyber exercises help to build the ability to work with incomplete information and the agility needed to navigate uncertainty. They help leaders to make decisions with speed, confidence and accuracy.

Having delivered over 100 cyber crisis exercises for boards and executives, across critical infrastructure, ASX-listed companies, government, emergency services, not-for-profits, universities, iconic brands and small businesses, I’ve seen how resilient leadership can be built. My key lessons learned are:

A fit-for-purpose exercise methodology matters

Exercises at different organisational levels have distinct objectives and achieving them requires fundamentally different methodologies.

Executive-level exercises aim to build decision-making agility, comfort with ambiguity, and inform whole-of-business response and coordination planning. By contrast, operational or technical exercises are designed to enforce discipline with a focus on playbooks, timelines, and technology, where agility is limited by necessity.

Teaching how to think is more effective than what to think

Exercises need to teach participants how to think when navigating a major cyber incident. This helps to build capacity to act decisively in ambiguous or rapidly changing conditions.

Under pressure, people tend to rely on experience and intuition. In unfamiliar crises, experience may not help, and intuition may be biased or inaccurate. That’s where a formal decision-making methodology becomes essential, helping executives and directors to make sound decisions in unfamiliar scenarios as they fulfil their roles and duties.

Curiosity trumps fear

Adversarial problems, like cyber crises, are often contests of will, where morale and the will to win matter most. Exercises that end in failure, while completely possible, erode confidence and undermine that will to act.

Curiosity, by contrast, is a powerful survival instinct that fuels learning, engagement, and readiness. The best exercises challenge and inspire, building both capability and courage.

Deliberate progression builds capability

 A crawl, walk, run approach to exercising, where participants are first led, then supported, then observed, helps to build the capacity to make calm, confident, and clear decisions in a crisis.

Human dynamics matter

Humans are thinking and feeling beings, whose behaviour shifts depending on who is in the room, the nature of the problem, their level of comfort, the resources available, and the surrounding organisational culture.

Executive teams and boards are designed to operate differently, and they do. Leadership styles, power dynamics, culture and internal tensions all shape how an exercise should be designed and delivered.

Exercise design can be optimised to promote positive human dynamics for greater learning and teamwork, and to minimise dynamics that may lead to relationship fracturing, fear or failure.

Cyber incidents present a unique challenge, one which is adversarial, contested, dynamic and ambiguous; they are often unfamiliar to senior leaders. However, executives and directors are already seasoned problem solvers, they just need to understand the distinct characteristics of the problem at hand. A well-designed cyber exercise is a powerful way to build that understanding through facilitated experience.

With limited time and competing demands, every moment of executive engagement must count. An effectively run exercise offers a rare and valuable opportunity to shape leadership under pressure, build decision-making confidence, and embed cyber resilience at the top.