
When a cyber incident hits, the immediate instinct is to look to the technical teams. Security operations, incident response, and IT infrastructure are the core functions that organisations have invested in, trained for, and tested. Â
But cyber skills development must cover the entire organisation to be effective. What are the risks of leaving non-technical teams out, and how can organisations get them involved? Â
Non-technical teams are often left out of cyber skills development and training. Why is that, and why does it matter?   Â
Most of the time, it’s a framing problem. Cyber incidents are still usually categorised as IT problems, so preparation is built around IT teams. It feels like a logical response, especially with AI-powered attacks accelerating the pace and sophistication of threats, the instinct to double down on technical defences is understandable.  Â
However, when you look at how an attack actually unfolds, you realise this narrow view doesn’t hold up. The moment a breach hits, it stops being a purely technical event almost immediately.  Â
Legal teams are fielding regulatory queries, communications teams are managing internal and external messaging, and HR is dealing with employee concerns and questions about data exposure. Â
These aren’t secondary concerns that can wait for the technical teams to finish, but are running in parallel, often under the same time pressure.   Â
Our research found that this is a widespread issue, with only 41% of non-technical roles – HR, legal, communications, and others – being included in cyber simulations. That means the majority of organisations are responding with a significant part of their crisis team absent.  Â
When the pressure hits, every function has a role to play – and the ones that haven’t rehearsed that role are the ones that create friction when it matters most.   Â
You wouldn’t run a fire drill and leave the floor managers out of it, would you? We need to see the same mindset here. Â
What are the benefits of actively involving non-technical staff in crisis simulations? Â
We find that when non-technical personnel are involved in cyber, it’s often limited to a postmortem discussion following a breach.  Â
These perspectives are valuable, but they tell you what broke after it’s already broken. What they can’t do is build the instincts and familiarity that stop the same things breaking next time.   Â
That’s what crisis simulations are for. The reason non-technical teams need to be actively participating in them is that the decisions they’ll face in a real incident are genuinely complex and time-sensitive. Â
Which employees need to be notified, and when? What can be said publicly while an investigation is still live? What are the regulatory obligations if personal data has been accessed? These aren’t questions you want to figure out on the fly for the first time during a genuine cyber crisis.  Â
There’s also a reputational dimension that often gets underestimated. The technical response to a breach and the communications response run simultaneously.  Â
In the court of public opinion, in any incident, there is a currency of goodwill. Yet organisations will quickly burn through that goodwill if they make poor decisions that don’t put the interests of their customers and other stakeholders first, and fail to communicate effectively and honestly. Many organisations start with a little amount of goodwill, making any missteps even more damaging.Â
If the teams responsible for that haven’t rehearsed it, the incident can feel worse than it is before anyone has a clear picture of what’s happened.   Â
One of the priorities for cyber skills development should be to build a stronger connective tissue between teams so everyone can operate smoothly together.   Â
Basic cyber awareness training is quite common now, and it helps, but it’s too detached from the reality of a live incident. Simulations put non-technical teams inside the uncertainty they’ll actually face – and that’s not something a postmortem can replicate. Â
What should organisations prioritise when running simulations with non-technical teams? Â
One thing that often gets overlooked, which I would like to see prioritised, is the handoffs – the moments where responsibility moves from one team to another.  Â
Think of it like a relay race. The individual legs matter, but races are won and lost at the baton exchange. In a cyber crisis, those exchanges are constant. When the security team discovers a compromised account for example, HR and comms need to get on their task immediately to minimise the damage. Â
Likewise, if legal receives a regulatory query, the security team needs to understand what that means for how they handle evidence. If those transitions haven’t been mapped and rehearsed in advance, that’s where the response starts to unravel.   Â
We found that the average containment time for an incident sits at around 29 hours, and that can be as much about decision-making bottlenecks and unpractised handoffs as it is any technical capability.  Â
The good news is that rehearsing handoffs yields more than just familiarity. You can measure how quickly teams respond, how accurately they interpret each other’s decisions, and how effectively they escalate or de-escalate under pressure. Those metrics feed directly into resilience scores and give organisations a concrete basis for improvement. For the best results, I recommend using scenarios tailored to the specific organisation, as well as varying them each time so it doesn’t become something you do by rote.    Â
How else can organisations build familiarity and confidence for non-technical roles in a crisis? Â
One approach I’d like to see more enterprises try out is role-swap drills, where non-technical teams are asked to step into security roles during a simulation and work through the decisions that technical staff face in a crisis.  Â
It might sound counterintuitive to place untrained laypeople in specialist roles, but the value isn’t in testing their technical knowledge. It’s in what they take back to their own role afterwards. Â Â Â
When an HR professional has spent time managing conflicting alerts, making calls with incomplete information, and feeling the pace at which security decisions have to be made, their working relationship with the security team changes. They stop treating caution or urgency from technical colleagues as obstruction and start understanding it as context.  Â
And it works the other way too. Security teams who’ve watched HR navigate the regulatory and human complexity of a breach come away with a clearer sense of why those teams sometimes need more time or more information before they can act. Â
The biggest payoff is improved cohesion between departments. When each function has a felt understanding of the constraints the other is operating under, you reduce the friction that slows a crisis response down.  Â
In an environment where AI-enabled threats are growing in speed and complexity, that cohesion isn’t a nice-to-have it’s what determines whether an organisation’s response holds together when the pressure is real. Â



