Practise until secure thinking is muscle memory.

The final step is cultural. You don’t want the first time your team responds to an incident to be when the real one hits.
Exercise means tabletop drills, chaos experiments, and attack simulations — so both devs and leaders know what to do when the alarms sound.

• For developers: Run 90-minute tabletop scenarios. Test kill-switches. Simulate malicious package injections. Learn where runbooks break.
• For leaders: Exercises provide confidence. They show that the organisation isn’t just compliant on paper — it can actually respond under pressure.

Pitch point: Exercising builds resilience into people as well as systems. It creates trust with customers, regulators, and investors.