As cyber attacks grow more frequent and sophisticated, companies are under mounting pressure to be cyber resilient. Firms that stumble during a crisis risk not only financial losses but also reputational damage that can take years to repair.
Building resilience, however, goes beyond bolting on technical safeguards. It requires board directors to be able to make high-pressure decisions swiftly, oversee recovery efforts, and manage communications with stakeholders.
To help board leaders prepare, the Singapore Institute of Directors (SID) has partnered with Ensign InfoSecurity to launch cyber crisis simulation workshops.
The complimentary 90-minute sessions immerse participants in breach scenarios to sharpen instincts, test decision-making under pressure, and walk through response and recovery workflows.
Exclusively for SID members, the incident-response experiential training aims to train 1,000 directors by 2028, with 200 expected to complete the course this year. The first three of six sessions for 2025 were held yesterday at Ensign’s office.
Ensign InfoSecurity’s executive vice president of Consulting, Lim Minhan, describes the workshops as “the boardroom’s flight simulator”, preparing leaders before a real attack strikes.
See also: Singapore emerges as hackers’ testbed as AI supercharges threats
“Cybersecurity is no longer just a technical concern and requires a whole-of-organisation response. These workshops give board directors a safe, realistic way to experience the pressure of an actual incident and sharpen their response before a real attack strikes,” he says at an Aug 19 media briefing.
Lim also highlights that the workshops for board leaders are designed to focus on strategy, risk, and governance. This differs from tabletop exercises with management teams that drill into operational and technical details.
The workshops make reference to the incident management portion of SID’s Cyber Resilience Guide for Boards in Singapore. The 10-chapter guide outlines four key tenets and an eight-step process to achieving cyber resilience. It also provides an overview of the regulatory landscape and includes a checklist for board readiness, giving directors a structured framework to anchor their learning and decision-making.
See also: Australia's privacy regulator file proceedings against Optus over cyberattack of 2022
According to SID CEO Terence Quek, the role of the board director is getting more complex and there is no fixed blueprint for cyber resilience because companies vary by size, resources and regulators.
“That’s why we created the guide earlier on — to provide a framework and a starting point for thinking about cyber resilience. This immersive programme with Ensign builds on that, helping directors zoom in on incident response and clarify their role vis-à-vis management, so both can work together as one team,” he says at the same briefing.
He adds that the sessions are not intended to solve every challenge directors face but to spark awareness and peer learning. “Directors are knowledgeable, experienced professionals, but being put in the hot seat and seeing how providers like Ensign help clients tackle real incidents will help them think more clearly.
“The whole point of resilience is to be prepared before something happens. If directors are asking questions for the first time in the middle of a crisis, it’s already too late. The right approach is to have conversations with management early, run tabletop exercises, draw up plans, and rehearse responses in advance. Every company has different strategies, so preparation must be tailored but waiting until an incident occurs is never the answer,” says Quek.
SID is also extending the effort beyond training. Together with Ensign, it will provide its corporate members—including more than 240 listed firms, family businesses, and nonprofits—with complimentary incident response services. The offering includes 24/7 access to certified specialists and rapid deployment of response teams in the event of a breach.
