Cyber Incident Exercising: Transform Your Response Strategy To Minimise Cyber Incidents

Jonathan Ellwood, Head of Cyber Incident Exercising and Cyber Incident Response for IASME, delivered a seminar on cyber incident exercising at The Public Sector Cyber Security Conference 2026 this February. Jonathan used his seminar session to highlight the benefits of cyber incident exercising – how it can transform the response strategy and actual implementation of a cyber response plan in organisations both big and small, resulting in a more effective and prepared operation, if an incident occurs.

“Exercising your cyber incident response procedure is as important as practising a fire drill.” – Jonathan Ellwood

IASME is a cyber security certification company that works with a network of over 1000 cyber security experts to help organisations of all sizes improve and demonstrate their cyber security. Jonathan proudly emphasised that diversity and inclusion are central to IASME’s core values. They are dedicated to breaking down barriers to participation, by developing entry-level job schemes that are designed to be fair and accessible to all. With a female CEO, half of IASME’s workforce are women and almost half of them are neurodivergent.

“This is our key to success, to be honest. This diversity of thought that we have is how we are successful in the marketplace.” – Jonathan Ellwood

According to the UK Government’s Cyber Breaches Survey of 2025, only 23% of businesses have a formal incident response plan in place to address cyber incidents. Jonathan was quick to highlight how this is a worryingly low figure, one that leaves the majority of UK businesses more vulnerable to breaches and accidents.

In June 2025 the Government Security Group released a policy which states that leading government departments, their arm’s length bodies and other public organisations must exercise their cyber incident response plans at least once a year. This highlights the impact of incident exercising in equipping organisations to be well prepared and resilient for such incidents and attacks.

Kickstarting a Cyber Incident Response Strategy

Jonathan emphasised the importance of every organisation having a robust cyber incident response plan and exercising that response plan. In his seminar, he directed delegates to the free guidance that the National Cyber Security Centre (NCSC) offers on how to build an incident response team. This team is designed to be the first responders, should the worst happen. Creating a culture where everyone is involved is important. It isn’t just a problem for the IT department, everyone can have a positive impact. Often, this starts from the top and works its way down.

After assembling a cyber response team, the next step is creating a plan. Jonathan acknowledged that the first plan probably won’t be perfect, but every single exercise you perform in anticipation of an incident makes the plan more effective. Once again, Jonathan directs you to the NCSC, who have really good resources to help you think about what those cyber incident response processes should be and how to respond to cyber incidents.


Jonathan on stage during his popular seminar at the Public Sector Cyber Security Conference 2026.

The Different Types of Cyber Incident Exercises

One of these popular resources is called ‘Exercise in a Box’, which is a free resource that helps organisations rehearse their responses to cyber incidents. It is a great place to start, especially for organisations that are just beginning to practice incident response planning. The resource provides exercises, based around the main cyber threats, which your organisation can do in its own time, in a safe environment. It includes everything you need to set up, plan, deliver and identify post-exercise actions.
One of the best ways to identify gaps and hone your response is to run exercises based upon real life scenarios.

“Each one of your organisations is going to be different. You’re all going to have different risk profiles and a different set of crown jewels that is important to you.” – Jonathan Ellwood

But, if you’re coming from having no plan at all, Exercise in a Box is a great place to start, any change is a good change.

Jonathan believes that there is a significant benefit to these exercises being facilitated by external specialists. An external specialist can offer you a fresh set of eyes and provide impartial advice and this will help maximise the benefits from the exercise events. The NCSC has cyber incidents exercising assured service-providers whose rigorous standards for maintaining cyber security will ensure that your plan is streamlined and effective.

These providers will know what threats are current and relevant to your organisation. They’ll give you an evaluation report about how your team performed during the exercise and what actions need to be followed in order to make your company more robust and resilient. Assured Service Providers of Cyber Incident Exercising services have the skills and experience to run table-top and live-play cyber exercises.

“Table-top exercises are where you all conveniently assemble in a boardroom or online and you work through a conversational piece which is facilitated about how you would respond to a cyber attack.” – Jonathan Ellwood

More advanced exercising is done through live-play, where organisations practice responding to a cyber incident as if it is really happening, much like conducting a fire drill. Live Play exercises are more in-depth sessions in which participants execute their roles and responsibilities in response to controlled injects which represent a given cyber incident scenario. Your Assured Service Provider will simulate things like reporters arriving at your office or create pseudo-social media posts from places like the BBC, detailing the cyber attack and the impacts it might bring. This can be really powerful, as it brings home the potential implications and fall-out of a cyber attack. The more real the situation is in practice, the better equipped your organisation will be to deal with an actual cyber incident.

“The most important thing with these exercises is to create a safe place to fail. Creating a culture of no-blame where it’s okay to get it wrong. It’s all right if this doesn’t work, but let’s find out together as a team why this isn’t working now.” – Jonathan Ellwood

The Benefits of Cyber Incident Exercising

Jonathan opened the floor to the seminar delegates, asking them what they think the benefits of exercises can be. Here is a summary of the main topics:

• Exercises help you to discover where your plan breaks up.
• It familiarises staff with the process.
• Repeated exercising embeds the process, creating muscle memory.
• Making the exercises routine enables you to measure success from previous exercises.
• Stops people from panicking in real-world situations, improving incident response.
• Improves coordination between different teams (IT, legal, insurance, comms, public relations, etc.).
• Can help to reduce human error during high pressure situations.

After conducting an incident response exercise, it is important that your organisation records the actions performed by staff. This is crucial as the best thing you can learn from an exercise is where you went wrong. Jonathan stressed this point. It is great to celebrate the successes of your cyber response strategy, but knowing where you can improve is the reason for the test. If your team performs poorly on your first incident response exercise, don’t feel too disheartened, as it is an opportunity to use the test results to understand where you failed and where you can improve.

“Conduct regular exercises, vary the scenarios to test different threats and teams, incorporate feedback from previous exercises. And once you’re doing this, you can start to measure success. You can start to measure time to containment, time to eradication, those kinds of things, building muscle memory.” – Jonathan Ellwood

Teams that have practiced incident response repeatedly can act quickly and instinctively, reducing the time to detect, contain and recover from an incident. Familiarity with the processes and the tools minimises mistakes during high pressure situations. Exercise In A Box is a great place to start, but Jonathan believes that you’ll find true progress through bespoke business cyber-incident exercises.

Jonathan’s expertise and passion for the work he does at IASME was evident throughout his seminar session. He was just one of the many brilliant speakers who joined us at The Public Sector Cyber Security Conference 2026 and we were proud of the meaningful conversations that took place at the London Conference last February. We’d like to thank Jonathan Ellwood for his brilliant keynote and for sharing his insights with us.