Post-incident recovery

Play the Post-incident recovery scenario You took the job because the previous CISO was fired after a breach.

You took the job because the previous CISO was fired after a breach.

What is the Post-incident recovery scenario?

A 500-employee SaaS firm three months after a public S3 leak. Board confidence is low, the team is exhausted, and Y1 budget is half-spent on remediation. Stabilize first; rebuild trust quarter by quarter. Incoming CISOs after a public breach typically have 90 days to demonstrate control to a skeptical board. The first-quarter priority is detection visibility and stakeholder communication, not new product purchases — boards want to see the existing environment understood before additional spend is approved.

How does the Post-incident recovery scenario start?

Difficulty: standard
Tech profile: Cloud-Native SaaS
Region: US
Starting team: 1 ciso, 1 senior, 1 junior, 1 grc
Year-1 budget: $550k
Annual budget growth: 18%
Starting board confidence: 25 (overridden)
Starting morale: 35 (overridden)

How do you win the Post-incident recovery scenario?

Inherited team, depleted budget, suspicious board. Board ≥ 50 by Q4 or you don't reach Y2.

Which risks matter most in Post-incident recovery?

Which investments are recommended for Post-incident recovery?

Strong starting purchases for this scenario, ordered by relevance:

How do you start playing the Post-incident recovery scenario?

Click Play CISO Game free to start a no-signup demo run. On the Setup screen, pick the Post-incident recovery tile and the difficulty, budget, and team will pre-fill. Hit Start Game and you're in.

Play the Post-incident recovery scenario →