Data in the Crosshairs: What 100 Security Leaders Revealed During a Live Cyber Crisis Simulation

At DataSecAI 2025, Cyera ran Operation Deep Lock — a fully interactive, multi-cloud ransomware crisis simulation designed to pressure-test real-world decision making. One hundred security leaders participated live, voting on each decision-making point in real time.

The result? A rare, candid look at how today’s CISOs and security leaders would react under fire and how additional context might have changed their course of action.

Across seven modules — from initial encryption to ransom negotiations to customer notifications — several powerful trends emerged. Below is a breakdown of the most noteworthy findings.

Security Leaders Agree: Containment Comes First

Across the opening stages of the attack, participants overwhelmingly prioritized decisive, defensive action.

When attackers encrypted critical systems simultaneously, 96% of respondents chose to isolate affected systems and disable cross-account access. Only 3% opted to immediately begin backup restoration. And after the initial event, 89% prioritized maintaining containment, starting the GDPR 72-hour clock, and preserving forensic evidence.

Key Trend: Containment and evidence preservation have become instinctual first-move responses, reflecting maturity in incident-response programs and increased regulatory pressure.

Teams Understand the Importance of Data Context

As part of the experience, additional context from the Cyera Data Security Platform was presented and the opportunity for participants to change their decision based on that information was offered. What we noticed: once Cyera’s platform revealed more data context behind the anomalies, responses shifted dramatically.

For example, when a suspicious outbound spike appeared, 94% chose to suspend outbound access and begin forensics. But once Cyera identified it as routine replication with non-restricted data, 82% correctly reclassified it as a false alarm.

Key Trend: Data visibility prevents unnecessary escalations — a critical lesson as companies drown in noisy alerts.

When Real Exfiltration Hits, Executives Default to Legal & PR Coordination

Once attackers posted evidence of stolen PII on the dark web, the crowd pivoted to coordinated crisis management.

An overwhelming 92% chose to engage legal and PR, initiate crisis communications, and begin forensic scoping. When asked which action carries legally mandated timelines, 53% correctly selected coordinating disclosure with legal and insurance — though 28% also recognized the need for immediate regulatory notifications.

Key Trend: Security leaders understand that public leaks are no longer just technical problems — they are legal, reputational, and regulatory emergencies.

Forgotten Systems = Consistent Blind Spots

Module 4 of the exercise introduced a common real-world scenario: encrypted test and legacy environments.This module highlighted a common pitfall, that "Test" and "Dev" systems often hold real production data copies but lack production security controls.

93% of participants opted to quarantine and capture forensic images. And 82% expanded the incident scope when Cyera revealed the scope of the breach had grown by hundreds of thousands of records due to forgotten systems.

Key Trend: Organizations are far more aware that test and dev environments can contain live sensitive data — but many still struggle to manage it.

Communication Strategy Matters More Than Immediate Answers

When regulators and media began pressing for details, participants showed strong discipline. 86% selected issuing a short holding statement while centralizing communications and keeping facts high-level. Only 4% rushed into sharing detailed exposure numbers.

Key Trend: Most security leaders now favor measured communication over premature transparency — reflecting more mature crisis-communication practices.

Ransom Demand: Split Between “Refuse” and “Delay”

The ransom negotiation module sparked the most divided responses.

• 44% refused to pay outright
  
• 43% delayed the decision while verifying attacker claims
  
• Only 6% opted to pay immediately
  

But once Cyera revealed the attackers did not have the regulated PII they claimed — and that clean backups were available within hours - 91% refused the ransom outright.

Key Trend: Data intelligence dramatically alters ransom decisions — proving that leverage is about data sensitivity, not just data volume.

Precision Customer Notifications Drive Massive Cost Savings

One of the most telling insights appeared later in the simulation. Before knowing which customers were truly affected, 69% selected a generic holding notice to all 1.3M customers in the simulation example. But once Cyera identified that only 24% (312K) had regulated PII, 84% chose to notify only those individuals - cutting projected costs by $17M–$25M.

Key Trend: Precision-based notification is now a must-have — not only for accuracy, but for cost control.‍

The Biggest Takeaways From Operation Deep Lock

Across the entire simulation, several patterns emerged:

1. Data context is everything. Participants repeatedly adjusted their decisions once Cyera revealed the actual sensitivity and scope of affected data.

2. Mature IR teams prioritize containment and compliance. Rapid isolation, evidence preservation, and regulatory alignment dominated early decisions.

3. “Test systems” remain a major source of hidden risk. Hundreds of thousands of regulated IDs were located in forgotten environments.

4. Ransom decisions depend on validated exposure. Once real data sensitivity was known, nearly all leaders rejected ransom payment.

5. Precision reduces cost, panic, and unnecessary disclosure. Accurate data classification saved millions in potential notification costs.

Final Thoughts

Operation Deep Lock provided a rare, honest snapshot of how leaders respond under real-world pressure. The major lesson? Organizations that understand their data — where it lives, how sensitive it is, and who can access it — make dramatically better decisions at every stage of a crisis.

Interested in seeing where your organization sits on the data security management and security practices? Schedule a Data Risk Assessment today and discover opportunities to:

• Strengthen your data security strategy and cybersecurity posture
• Optimize preventive controls and processes
• Proactively discover and resolve security posture gaps

‍