5 Crisis Scenarios Every
CISO Should Run

Ransomware remains the most impactful cyber threat facing organizations. This scenario tests the full spectrum of response: technical containment, executive decision-making on ransom payment, regulatory notification, business continuity during system outages, and public communications.

Scenario Narrative

On a Friday afternoon, the SOC detects anomalous file encryption activity across multiple file servers. Within 30 minutes, ransom notes appear on affected systems. The threat actor claims to have exfiltrated 200GB of data before deploying encryption. Backups for two critical systems are found to be corrupted. The ransom demand is $2M in cryptocurrency with a 72-hour deadline.

Key Injects

Success Metrics

• Time from initial detection to containment decision: target under 30 minutes
• Clear identification of decision authority for ransom payment
• Regulatory notification process initiated within required timeframe
• Business continuity procedures activated for critical processes
• Consistent external communications across all channels

Lessons to Capture

• Are network segmentation controls sufficient to limit lateral movement?
• Does the organization have a pre-established policy on ransom payment?
• Are backup integrity verification procedures running and tested?
• Is legal counsel pre-briefed on cyber extortion response and reporting obligations?
• Do manual fallback procedures exist for critical business processes?

Data breach notification is one of the most legally and operationally complex response activities. This scenario specifically tests the notification workflow mandated by GDPR (Articles 33 and 34), but the principles apply to any privacy regulation: CCPA, PIPEDA, LGPD, or sector-specific rules like HIPAA.

Scenario Narrative

A routine security audit reveals that a web application vulnerability (SQL injection in a legacy customer portal) has been exploited. Log analysis shows unauthorized access to a database containing 150,000 customer records including names, email addresses, phone numbers, and hashed passwords. The vulnerability has been present for approximately 6 weeks. The attacker's IP traces to a known bulletproof hosting provider.

Key Injects

Success Metrics

• Accurate identification of applicable notification requirements per jurisdiction
• Regulatory notification initiated within 72 hours (GDPR) or applicable deadline
• Forensic evidence preserved without disrupting the investigation
• Clear, empathetic customer notification drafted and approved through legal review
• Coordinated response across legal, PR, customer support, and security

Lessons to Capture

• Does the organization maintain an up-to-date data inventory showing what personal data is stored where?
• Are notification templates pre-drafted for the most likely breach types?
• Is outside counsel pre-engaged for cross-jurisdictional breach response?
• Does the customer support team have a breach-specific script and FAQ?
• Is there a process for determining whether law enforcement notification is required or advisable?

Supply chain attacks have become a top-tier threat, as demonstrated by incidents like SolarWinds, Kaseya, and the 3CX compromise. This scenario tests your organization's ability to respond when a trusted vendor or software component is compromised, and you must determine your exposure while managing the uncertainty.

Scenario Narrative

A critical SaaS vendor used for identity and access management (IAM) issues an emergency advisory: their build pipeline was compromised, and a malicious update was pushed to customers over the past 10 days. The advisory is vague on technical details. Your organization deployed the affected update 8 days ago. The vendor cannot yet confirm what data may have been accessed through their platform.

Key Injects

Success Metrics

• Speed of blast radius assessment -- can the team determine affected systems within 2 hours?
• Documented vendor communication timeline and escalation process
• Threat hunting initiated with available IOCs within 4 hours
• Business continuity plan activated for vendor-dependent services
• Board-level communication providing clear risk assessment without overpromising certainty

Lessons to Capture

• Is there a current, maintained inventory of critical vendor dependencies?
• Do vendor contracts include breach notification SLAs and cooperation clauses?
• Can the organization operate without the affected vendor for 48-72 hours?
• Are there alternative vendors pre-qualified for critical services?
• Does the SBOM (Software Bill of Materials) practice identify third-party components in production systems?

Insider threats are uniquely challenging because they involve people the organization trusts, using legitimate access. This scenario tests the intersection of security, HR, legal, and management -- a coordination challenge that purely technical exercises miss entirely.

Scenario Narrative

A DLP (Data Loss Prevention) alert fires: a senior engineer in the R&D department has uploaded 3GB of proprietary source code and product roadmap documents to a personal cloud storage account over the past two weeks. HR confirms the engineer recently gave notice and is leaving for a competitor. The engineer's manager was unaware of the data transfers.

Key Injects

Success Metrics

• DLP alert triaged and investigated within 4 hours
• HR-Security-Legal coordination initiated with clear roles and responsibilities
• Access restricted without creating legal liability for wrongful termination
• Evidence preserved in a forensically sound manner for potential litigation
• Post-incident access review completed for all departing employees in the last 12 months

Lessons to Capture

• Is DLP configured to alert on bulk transfers to personal storage and email?
• Does the offboarding process include a security review triggered by resignation notification?
• Are non-compete and IP assignment clauses in employment contracts enforceable?
• Does the organization have an insider threat program with defined escalation paths?
• Are USB and removable media policies enforced technically, not just by policy?

Cloud infrastructure failures test operational resilience in ways that security-focused exercises often overlook. This scenario exercises the intersection of cloud operations, business continuity, vendor management, and crisis communications when the technology you depend on simply stops working.

Scenario Narrative

Your primary cloud provider experiences a major regional outage affecting compute, storage, and managed database services. The outage begins at 9:00 AM on a business day. The provider's status page acknowledges "degraded performance" but provides no ETA for resolution. Your customer-facing applications, internal tools, and CI/CD pipeline all run in the affected region. Multi-region failover was designed but never tested under real conditions.

Key Injects

Success Metrics

• Impact assessment completed within 30 minutes of initial outage
• Customer communication issued within 1 hour with honest status and expected next update time
• Failover decision made with documented risk analysis (not by default)
• Data integrity validation plan ready before services are restored
• Post-incident architecture recommendations with cost estimates

Lessons to Capture

• Has the disaster recovery plan been tested with a real failover, not just a documentation review?
• Are RTOs and RPOs defined for each critical service and validated against actual recovery capabilities?
• Does the organization have a status page or communication channel for customer-facing incidents?
• Are there documented runbooks for cloud provider outage scenarios?
• Is there a clear decision framework for when to trigger failover vs. wait for provider recovery?