Interview: “It’s not about right or wrong, it’s about the learning process.”

Nemanja Mitic is Head of Cyber Governance at UBS and has been helping to improve the financial sector’s cyber resilience since 2022. In this interview, in his role as lead of the Swiss FS-CSC’s Exercises & Training chapter he talks about why realistic cyber exercises are more than just dry runs, why managers play a key role, and the benefits of a sector-wide perspective.

Nemanja Mitic, what are the most important success factors when preparing a cyber exercise?

For me, one of the key success factors is the make-up of the team doing the preparations. All the main stakeholders are involved, with representatives from banks, insurers, financial service providers and the authorities. That way, we can ensure that the cyber exercises are a valuable experience for all members. It’s also important to have a clear goal in mind: to identify what we want to practise and what decisions the participants will have to take. Another point that’s often underestimated is good, structured management of the discussion, anticipating questions, formulating answers and keeping time. That way, the discussions in the different groups remain comparable and the exercise as a whole consistently achieves its goal, delivering a learning effect for the participants.

Why are scenario-based exercises a key tool for boosting cyber resilience?

Cyber resilience isn’t simply a matter of writing useful documents and checklists. Scenario-based cyber exercises test this theory under realistic conditions in practice. That’s why they’re not just useful but also absolutely essential.

What are the biggest challenges when planning and carrying out cyber exercises?

At the Swiss FS-CSC, the diverse nature of the target group is a challenge. The participants vary widely in their backgrounds: depending on the size of the institution and their role within it, there can be big differences in the depth of their specialist knowledge. They also approach the exercise with different expectations that we have to respond to. Some want clear answers or solutions, while others are looking for an open discussion. But it’s not about right or wrong solutions, it’s about the learning process.

A strategic cyber exercise was held in March 2026. How does it differ from the operational cyber exercises?

The difference is in the kind of decisions the participants have to make. Operational exercises aim to solve technical problems, whereas strategic exercises force managers to deal with conflicting objectives in a state of uncertainty and under time pressure – to set priorities and take strategic decisions. The two formats are essential complements to each other. True cyber resilience only comes about through the interplay of both levels.

Why should top management be actively involved in cyber exercises?

In an escalating cyber incident, you very soon face questions about prioritising critical services, activating business continuity management and communicating with customers and the public. Those are things that can’t be delegated. Above all, cyber resilience is a strategic issue.

How do participants benefit from the Swiss FS-CSC cyber exercises?

The greatest value added comes from the sector-wide perspective. These days, major cyber attacks are rarely merely confined to a single institution. Dependencies on third parties, market infrastructures, service providers or other financial institutions play a central role. The Swiss FS-CSC cyber exercises make that interplay especially clear. I also think the change of perspective is particularly valuable. Participants don’t just experience their own situation: they see how other institutions tackle similar challenges. That creates understanding and enhances the quality of the discussion, without the pressure that comes from being graded.

What motivates you about this job? How does this add value to your work at UBS?

I’m motivated by the good working relationship with colleagues from other institutions, and the idea that what we do empowers management teams to take the right action at the crucial moment. The added value for my work at UBS lies, I think, in the sector-wide perspective which enables me to identify patterns, dependencies and decision-making dynamics beyond individual organisations. That knowledge flows directly into my day-to-day work.