You don’t need to be a hacker or coder to train executives on how to handle cybersecurity emergencies. Just ask Allison Ritter. The 26-year-old creative director at IBM’s X-Force Command Center draws on her media and theater training to scare clients into shoring up their practices.
Though cyberattacks are an increasingly common threat for corporations, many businesses still have never faced one — which means they can be caught flat-footed when it’s time to respond. The command center in IBM’s Cambridge office acts like a flight simulator, using a suite of audiovisual prompts and artificial crises to help them practice without breaking anything.
“Many times we find people come in and maybe they’ve never even met the people who are going to deal with a breach,” Ritter says. “My goal is to have you better prepared for when something inevitably could happen.”
Clients game out a scenario in which they’re confronting a data breach that feels very real. Televisions blare reports of the incident even as the team is still grappling to understand what happened. Social media lights up with critical posts. The stock starts to drop.
Ritter dreams up these story lines in a glass-walled office within sight of the command center. Here are some of the things she turns to when she’s looking for inspiration — or ways to ratchet up the tension:
A wooden cipher wheel. Ritter has many high-tech items at her disposal when she creates training experiences. But they don’t always work. Sometimes clients — especially those who aren’t particularly tech savvy — need a more analog way of learning about cybersecurity.
Using objects like this one, which can help decipher a puzzle or crack an encrypted message, helps get participants in a better state of mind for working through a security challenge.
“Maybe they’re very good at puzzles, but they never thought in a million years that security would be an interest for them. This kind of excites them,” Ritter says. “Most of them won’t touch a keyboard.”
A Guy Fawkes mask. If you had to picture a hacker, you might envision a person wearing one of these. Sometimes, when clients in the command center think they have things all figured out, Ritter uses the Fawkes mask to change the game. In recorded videos, Ritter — or another actor claiming to be part of the “Daemon Crew” — introduces new information about the threat, forcing participants to change their response.
Ritter says acting is a big part of building meaningful experiences for people in the command center.
“When you’re up front and you’re talking about something, you sometimes have to get into character,” she says. “If you come in and you’re just reading off something, it doesn’t have the same impact.”
A hard hat. “For my first day of work I came in heels and a hard hat,” Ritter says. “There were no walls, there was not even a screen, and I came from the beginning to set the whole place up.”
Today, the command center is an imposing space. The company even equipped a large truck with similar equipment so clients can do cyber exercises at their own facilities. But when Ritter started, the idea was still taking shape.
She says she had to convince Caleb Barlow, vice president of threat intelligence at IBM Security, that she had the right background for the job. She had come from a marketing role at another tech firm, and IBM was considering her for a similar role.
“Every time I got on a call with him, I said, ‘Well, what about that other job that we spoke about?’ ” Ritter says. “I went through a bunch of different interviews, and I said, that’s the job I really want. The fit was perfect, and it worked out really well.”
A gumball machine. Ritter keeps one on her desk as a reminder of an important memory from the Rochester Institute of Technology, where she went to college.
“When I came to campus, there was this large gumball machine. And I’m a big fan of gumballs — love gum. So I would walk by it every day, and who carries quarters, right?” Ritter says. “One day I was walking through and I said, I’m just going to go over and check it out. I walk over and I look at it and I’m playing with the [lever] and it turns all the way. It was free. Free gumballs!”
The story, for her, is about more than complimentary sweets. She said the experience taught her a lesson that has been important in launching her career: “If you never try something out, how will you ever know anything about it?”
“I’ve done so many things in my life that I never thought I would do,” Ritter adds. “You’ve got to push a little bit to find something. Things might be there, but you’ve got to push.”
There is, however, one caveat about the machine on her desk: “You do need money for this one, which I do have for people.”Andy Rosen can be reached at firstname.lastname@example.org. Follow him on Twitter @andyrosen.