In an era where a single digital breach can paralyze state infrastructure, the traditional checklist approach to cybersecurity is no longer sufficient. Matilda Bailey, a networking specialist with a deep focus on next-gen solutions and the evolving landscape of cellular and wireless technologies, explores how the public sector is pivoting toward a “live-fire” mentality. This transition involves moving away from static compliance models toward dynamic, simulated environments that test the mettle of both technical teams and executive leadership under realistic pressure.
The following discussion explores the strategic shift toward cyber-resilience, highlighting the necessity of moving beyond basic sandboxed environments to sophisticated cyber ranges. It covers the critical “buy versus build” decision-making process, the importance of vendor flexibility in replicating emerging threats like Volt Typhoon, and the upcoming integration of cyber-physical simulations to protect critical infrastructure.
Pilots spend hundreds of hours in flight simulators to prepare for emergencies; how does a cyber range replicate that high-stakes environment for a security team?
The comparison to aviation is perfect because it highlights that experience is truly the best teacher, though in our field, that experience usually comes with a devastating price tag. A cyber range acts as a high-fidelity simulator that mirrors an organization’s actual IT environment, delivering dynamic threat simulations that replicate the chaos and variability of a real-life breach. When practitioners are dropped into these scenarios, they aren’t just clicking buttons; they are thrown into a situation where they must find the needle in a haystack under immense pressure. They have to detect the problem, work to eradicate it, and even conduct external coordination like calling the FBI, all within a safe, controlled setting. This hands-on incident response training, which Florida now offers for free to thousands of public-sector employees, ensures that when the “plane” is actually in the air and something goes wrong, the team doesn’t freeze.
Why is a traditional sandboxed environment no longer enough for organizations looking to move from basic compliance to true cyber-resilience?
A sandboxed environment is often too confined and simple, acting as a basic training ground that doesn’t capture the complexity of a modern network. Resilience is about more than just checking a box; it means being able to perform critical functions even when your environment is degraded or disrupted by an attacker. When the state of Florida began its journey in 2021, the goal was to nudge organizations away from a mindset of mere compliance and toward a state of proactive readiness. By using a full-scale cyber range, which was once the exclusive purview of national defense agencies, teams can simulate complex, real-world conditions that a simple sandbox just cannot replicate. This shift allows for a much more sophisticated level of modeling and simulation that prepares state, county, and municipal workers for the messy reality of a persistent threat.
When building a state-wide defense infrastructure, what are the primary factors that lead an organization to choose a third-party cloud provider over building an on-premises solution?
The decision often comes down to a “buy versus build” analysis where you have to be honest about your own core competencies. In the case of Florida’s initiative, a feasibility study ruled out DIY and on-premises options because the upfront hardware and software costs were simply too high, not to mention the massive ongoing operational and maintenance burdens. The leadership team, including experts like Ernie Ferraresso, realized they were excellent at identifying which organizations needed training and what specific scenarios would challenge them, but they didn’t want to be in the business of running data centers. By vetting around a dozen vendors and ultimately partnering with SimSpace, they gained a platform that offered responsiveness and flexibility. This allowed them to play to their strengths while letting a specialized partner handle the heavy lifting of the infrastructure, ensuring the range could go live quickly in early 2023.
How does integrating technical teams and executive managers into the same exercise change the way an organization responds to a crisis?
One of the most dangerous gaps in cybersecurity is the communication breakdown between the “hands-on-keyboard” practitioners and the leadership in the C-suite. Advanced exercises on the range now involve engaging both groups in tandem to stress-test their communication strategies during a simulated crisis. While the technical folks are working in the SimSpace environment to stop the attack, the managers participate in a parallel tabletop exercise to see how the technical reality dictates their business decisions. It’s an eye-opening experience because it shows the managers exactly what their tech folks are up against, and it teaches the practitioners how to better communicate technical hurdles to leadership. This dual-track approach ensures that when a real emergency hits, the entire chain of command knows how to talk to each other and what to expect from every level of the organization.
With the threat landscape shifting so rapidly, how can a simulated environment stay relevant against novel attacks like those from Volt Typhoon?
The ability to adapt quickly is perhaps the most critical feature of a modern cyber range, as a static simulation becomes obsolete almost immediately. In one instance, a federal partner asked if the range could replicate a Volt Typhoon-type incident against critical infrastructure—a scenario that hadn’t been widely modeled before. Because of the close partnership with the vendor, a simple text to the CTO resulted in an immediate “yes,” allowing the team to quickly change the rules and the landscape of the simulation. The platform can also be tweaked to feature the specific tools an individual team uses daily, such as CrowdStrike or ReliaQuest, making the training feel incredibly personalized. This agility ensures that practitioners aren’t just fighting yesterday’s wars, but are prepared for the specific, emerging threats that are currently targeting critical entities.
What is your forecast for the evolution of these training platforms over the next few years?
We are moving toward a future where the line between digital and physical security completely disappears, particularly regarding our critical infrastructure. I expect to see a massive expansion in cyber-physical attack simulations, where we aren’t just protecting data, but also the control-loop systems that manage utilities like water and power. Currently, these ranges are primarily used by state and local government agencies, but the next step is to integrate public-private interests to ensure our essential services are resilient. We have to treat these simulations as an operational necessity rather than a luxury, moving toward a model where every utility provider and municipal body is regularly stress-testing their systems against the most sophisticated disruptions imaginable. If we don’t master the cyber-physical control loops now, we leave the door open for attacks that have consequences far beyond the digital screen.
