Most CISOs run cyber drills to satisfy SEBI ID.5. The best CISOs run drills to find out where their command structure actually breaks. The difference between these two approaches shows up during a real incident at 2 AM.
Every CISO has an incident response plan. Fewer have actually tested whether it works under pressure with incomplete information and a board member on the phone. The gap between the plan on paper and the command chain in practice is almost always larger than CISOs expect — and cyber drills are the only reliable way to measure it.
The problem is that most drills are designed to confirm the plan works, not to find out where it breaks. The scenario is familiar, the participants are the security team, the outcome is predetermined ("we handled it well"), and the report is written to satisfy SEBI's ID.5 checkbox. Nobody learns anything. The command gap remains unmeasured — until a real incident exposes it.
From analysis of drill reports across regulated BFSI entities, the most common command gaps exposed in well-designed drills are: CERT-In portal submission ownership (nobody knows whose credentials, whose authority), parallel regulator notification (CERT-In filed, RBI/IRDAI forgotten), MD/CEO escalation trigger (too late, too early, or unclear), and evidence preservation failure (systems isolated before forensic capture).
The CISO's role in drill design is to resist the temptation to make it easy. A drill that confirms your IR plan works is worthless. A drill that surfaces three specific, fixable gaps is worth more than any gap assessment a consultant can deliver.
The first principle is ambiguity by design. Real incidents don't arrive clearly labelled. In the first 30 minutes of a real ransomware attack, it will look like a storage issue, then a network problem, then something more serious. Your drill scenario must force this same progressive revelation — do not hand participants a scenario that says "a ransomware attack has occurred." Give them an alert, a symptom, and incomplete data.
The second principle is clock pressure that is real. If the CERT-In 6-hour clock doesn't feel real in the drill, it won't be respected in an actual incident. The facilitator must explicitly call out the clock: "T+2 hours. You have 4 hours remaining on the CERT-In deadline. Have you identified the reporting owner? Do you have portal access?" These moments are where the gaps surface.
The third principle is forcing decisions without your IRP. The participants should not have the incident response plan in front of them. The point of the drill is to test whether the plan is internalised — not whether they can read it under pressure.
The drill told me what three years of assessments couldn't: nobody on my team had actually submitted a CERT-In report. They'd read the process document. They'd attended the training. But when the inject said 'file the CERT-In report now' — nobody moved. That silence was the most valuable finding I've had in a decade.
— CISO, Large Private Sector Bank, Mumbai
SEBI CSCRF ID.5 requires cyber drill evidence — but the quality of evidence is what distinguishes a mature entity from a compliant one. SEBI inspectors are looking for three things that most drill reports fail to provide:
The most common assumption CISOs carry into their first structured drill is that CERT-In reporting will work because there is a process document. The drill almost universally proves this wrong.
The failure points are consistent: the portal credentials belong to someone who left 6 months ago; the 9-field prescribed format has never been practiced; nobody has tested partial report submission (filing when scope is unknown, then updating); and the parallel RBI/IRDAI/SEBI notifications are not mapped to anyone's responsibility.
The CISO's job is to design the inject that breaks this assumption — and then to fix the gaps the inject exposes. A drill inject at T+3 hours that says "file the CERT-In report right now — who submits, with what credentials, and what are the 9 fields?" will surface every one of these gaps in 10 minutes.
SEBI ID.5 requires a drill program, not a single exercise. The distinction matters: a program has a multi-year improvement arc, varying scenario complexity, expanding participant scope, and measurable maturity progression. A single exercise is a compliance event.
The drill report is not the outcome — it is the input. The CISO's job after the drill is to convert every finding into a dated, owned remediation action and track it to closure before the next drill. This is what SEBI inspectors mean by "demonstrating improvement over successive drill cycles."
Practical mechanics: within 48 hours of the drill, hold a findings review with all participants. Categorise each finding as P1 (fix before next incident), P2 (fix before next drill), or P3 (systematic improvement). Assign each finding to a named individual — not a team. Verify closure, not just "action taken." The next drill's inject sequence should specifically probe the P1 findings to confirm they are resolved.
RiskSage AI · Cyber Risk Brain
RiskSage AI ingests drill findings and feeds them into FAIR-based risk scenarios — turning compliance evidence into board-ready ALE figures and prioritised remediation backlogs.
Open RiskSage AI →We use cookies and analytics (Google Analytics) to improve your experience. Under India's Digital Personal Data Protection Act, 2023, we require your consent before collecting any usage data. Privacy Policy