Dr. Stefanie Frey is a cybercrime expert who coordinated the Swiss National Cyber Strategy and actively shapes the global cybersecurity agenda. As Managing Director of Deutor Cyber Security Solutions, she collaborates with law enforcement and security agencies, as well as advising companies on IT emergency response and business continuity.
Stefanie is speaking at MSP GLOBAL 2025, so who better to ask what makes a successful cybersecurity strategic simulation exercise—and what role MSPs should play? (Not sure if you’re an MSP?)

Let’s start with the basics… What are strategic simulation exercises?

Strategic simulation exercises are designed to stress test an organization’s decision-making structures and processes in the event of a cyberattack.
Unlike purely operational or technical exercises, they involve both the internal and external environment. In the real world, you will be dealing with external perpetrators and a range of stakeholders, and the exercise should reflect that.

Which sort of organizations should be taking part in these exercises?

Everybody! Everybody’s under attack, from the smallest businesses to multinationals and governments.

Is there a growing need for this sort of preparation?

Absolutely. The world has become so complex. It’s global, it’s digitized, it’s interconnected.
The complexity is so vast that it’s impossible to realize what’s going on out there. Without these exercises, you just never feel it close to you.

There can be a perception that these exercises can be fun. Is that right?

Believe me, it’s not fun at all. They should be designed to show you the real world, which is not fun. In fact, the criminals responsible for cyber and ransomware attacks can be really cruel.

What’s the key to running a successful SSE?

The most important—and most difficult—aspect is that they should reflect real life.
We are cyber crisis managers, so we take real cases and don’t really structure anything beyond taking the real case and throwing it in the room and putting companies in the sort of situation that they would confront in real life.
After an hour, we often get an atmosphere of mutiny because the stress level is so high!

Which roles or departments should be involved in a strategic cyber exercise?

Whoever would be there in the event of a real attack. The CEO is always there, then you need representatives of the whole organization—everybody who can assist the CEO to take the right decisions.
You can break the sessions down into departments, but it’s normally most effective to start by taking the widest perspective. You can then identify the elements that didn’t work well and have more focused follow-up exercises.

Should external stakeholders—like MSPs—be involved?

Yes. It’s really relevant for MSPs to be involved.
The ripple effects of an attack are so vast that even if you explain it, even if you read up on it, you will not comprehend the complexity of connections.
You will only understand it once you’re in it, because you suddenly realize that there are elements in your supply chain that you have never considered.
In exercises, we simulate elements outside of the organization that are imperative to include, such as the police, but you need to get the whole ecosystem in there, otherwise the effect will just remain within the organization—and that in today’s world will not work.

What should the outcomes of these exercises be?

The outcome should be the awareness that this complexity leads to a lot of stress, and that much of your cybersecurity achievements will be quickly outdated.
All your business continuity management (BCM) plans, your crisis management plans, your emergency plans, they all look wonderful today, and tomorrow they are outdated because the perpetrators are constantly evolving, and businesses often aren’t.

That sounds scary!

It is. This is a really important realization, that you can never stop. You have to continually build your system, review your plans and adapt them to the outside world. And that’s why it’s so important to take real-life cases because perpetrator structures and ways of operating have changed so much.
It’s moving so quickly that we need to continuously build resilient structures together in a community.

We’re all about community at MSP GLOBAL—tell us more.

I emphasize the concept of community a lot, because cybersecurity is impossible without it. It’s by working together and sharing experiences and solutions that we will become stronger and more resilient to attacks.

How often should organizations, including MSPs, be running strategic simulation exercises?

Twice a year is a good starting point. You can vary the size of groups involved, but you should frequently stress test particular elements in your organization to see where you could improve.

Are there mistakes you see often?

Everybody thinks they’re invincible. Everybody thinks they can’t be the target. Everybody thinks that the IT structure is so well organized that it cannot happen to them. Experience shows that they are wrong.

What’s your key message to businesses concerned about—or offering support for—cybersecurity?

Strategic simulation exercises are designed to stress test an organization’s decision-making structures and processes in the event of a cyberattack.
Unlike purely operational or technical exercises, they involve both the internal and external environment. In the real world, you will be dealing with external perpetrators and a range of stakeholders, and the exercise should reflect that.
Stefanie will be sharing 15 years of cybersecurity expertise at MSP GLOBAL. In her first session, she’ll use case studies to show how cybercrime is evolving. Discover what it’s like to be attacked by state-sponsored criminals and why Europe may be falling behind other regions.
Her second session will be a hands-on exercise. You’ll be given a real-world scenario and work in groups to find solutions. Expect high stress and plenty of learning.