DeepSec 2025 Talk: Lessons learned from preparedness exercises with 3500 companies – Erlend Andreas Gjære
Preparedness exercises, whether they are traditional tabletop discussions or more interactive gamified experiences, help us become more prepared – and to do this together, with engagement between individuals who need to perform optimally as a group, under pressure. Based on the speaker’s experiences from preparing and facilitating more than one hundred cyber exercises, including both individual companies and events with multiple companies participating together, this talk will illustrate both which risks and vulnerabilities happen to manifest themselves during incidents (and exercises), and how companies and stakeholders with various roles and levels of experience respond to these.
We asked Erlend a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- 5000 companies participated across 85 free cyber preparedness exercise events in the Nordics since last year.
- 48% of participating companies report improvements in their incident response/crisis plans and routines, 6 months after the exercise.
- Companies who participated would not pay any ransom under the exercised circumstances.
- However, in Denmark, many more would try to negotiate with cybercriminals, compared to in Norway.
- The underlying interactive exercise experience was tried out for the very first time outside of a Norwegian audience, at DeepSec 2023.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
With a very active outreach initiative, we have created results through an exercise experience that has engaged many people in our field. But we’ve also seen a significant share of participants without a typical IT/security background who still identify themselves as responsible for preparedness and resilience, including business leaders and executives. Seeing how storytelling can engage really anyone, as long as they can follow and believe in the story, makes the entire experience more memorable–and sparks action to improve their security posture. Even when we’re talking about non-technical business leaders.
Why do you think this is an important topic?
No company is an island, and even the big companies with lots of resources depend on suppliers to be both competitive and secure. Seeing how supply chain vulnerabilities can expose almost anyone, yet how difficult it is to go beyond spreadsheet compliance in terms of managing supply chain risk – we think it is important for more companies to realize the power of storytelling. One of our key messages to companies is to invite their own critical and important suppliers to a supplier-focused exercise with everyone in a room together. So the suppliers understand potential supply implications of a breach, and your expectations.
Is there something you want everybody to know – some good advice for our readers maybe?
One can always get down and dirty with technical details to prove our point in risk and vulnerability management. However, the ability to tell a good story that highlights the “why” in why anyone in business should care – that is a human skill with potential to release more resources for mitigation than any technical report. The good news is that this skill can be taught, so that anyone–even the most technical of us–can really maximize the impact of their professional efforts.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
We’re seeing more and more companies doing preparedness exercises for cybersecurity scenarios, which is positive considering the need to prepare and also regulatory requirements following NIS2. Following the insights from exercising with also non-cyber professional participants, we have however discovered that everyone loves a good story. So, offering exercises with storytelling that sticks, to departments and teams all across the organization, replacing only the asset and processes affected by disruption with something that participants identify with – this is a way of bridging the areas of awareness and preparedness, in cybersecurity.
Erlend Andreas is a co-founder and CEO at Secure Practice, building scalable services for security awareness and preparedness through digital skills. After receiving his MSc degree in Informatics from the Norwegian University of Science and Technology (NTNU), he worked six years as a research scientist, before transitioning to industry work as a consultant and security manager, and then tech-founder since 2017. In 2024, Secure Practice was awarded the European Digital Skills Award for their multi-national effort to increase cyber preparedness among thousands of SMEs, with support from the European Cybersecurity Competence Centre (ECCC).