Crisis Simulations: A Top 2025 Concern for CISOs

In 2025, chief information security officers (CISOs) will be directing their attention to becoming more cyber prepared in the event of an attack, by enhancing their crisis simulation capabilities.

That's according to a study conducted by researchers at Hack The Box, which found that out of 200 US- and UK-based CISOs, 74% said they plan to up their crisis simulation budgets this year.

These changes likely stem from rising concerns about the growing number of cyberattacks, the lack of incident-response planning, and inadequate stress-testing of crisis scenarios. Such cyberattacks include incidents affecting organizations like NHS, CrowdStrike, 23andMe, and more, affecting businesses on a global level. CISOs are trying to reassess their organizations' capabilities in order to manage the chaos when it inevitably arises.

A full 77% of those surveyed said they would allocate greater budgets for cyber-crisis simulations if the exercises themselves were more realistic and actionable. 

"Preparedness is the foundation of resilience, and crisis simulations play a crucial role in testing organizations security and workforce performance when it's most critical," said Haris Pylarinos, CEO and founder at Hack The Box, in a statement. "Organizations are right to prioritize crisis simulation, and must ensure that these are implemented in the right way."

Also, 73% of survey respondents reported that crisis simulations and incident-response exercises for both their technical and non-technical teams were their top business priority this year.

Pylarinos highlighted that crisis simulation will continue to evolve, pairing artificial intelligence with expert knowledge in order to provide tailored and realistic scenarios that reflect challenges that security teams and management will face on digital front lines. "It will unite previously disparate business units as one," he said, "and allow real-world performance to be benchmarked in a controlled environment."