The Five W's of Tabletop Exercises

Putting Your Cybersecurity Incident Response Plan through its Paces


In this season of perpetual emergencies, cybersecurity professionals may feel that their time is spent entirely in responding to security situations. When every minute is devoted to managing actual crises, CISOs may wonder what the point is of crisis preparation.

However, as the pandemic stretches out indefinitely, a proactive mindset to information security is critical to thriving instead of just surviving. After all, many of the issues faced during this time aren’t new. The attacks are intense, but many are just recycled techniques. Budgets are tight, but when has there ever been enough? Finding experienced team members is rough, but with unemployment in other sectors, at least there are willing prospects.

In other words, preparation for cyber incidents should be part of a security program’s continuous lifecycle regardless of the current climate. Tabletop exercises (TTX) are an important mechanism for thinking through emergencies before they happen to ensure efficient and consistent responses.

What Are Tabletop Exercises?

Tabletop exercises are informal training sessions in which a hypothetical situation is introduced, and the team members talk through what the response should be. TTX can help CISOs map out incident response plans, refine existing protocols, and train personnel on their roles and responsibilities if the hypothetical becomes reality.

Although they require forethought and planning, conducting tabletop exercises is a relatively quick and inexpensive way to test security procedures for when a breach does occur. Getting the key people together to discuss best practices for a given scenario and their personal responsibilities in that situation is one of the simplest defense mechanisms you can employ.

Why Should You Conduct Tabletop Exercises?

Like any form of vulnerability testing, tabletop exercises help expose weaknesses in a program. Particularly, TTX can reveal problematic or missing steps in the incident response plan, conflicting perspectives of team members, or lack understanding of the plan by key constituents. It’s difficult to think clearly and creatively when in crisis mode. TTX are a great way to tap everyone’s best ideas and make sure everyone has clear direction when the pressure is off so that the response is as strong as possible when the pressure is on.

Even the best laid plans can fall apart when actual people actually have to follow them. When the stakes are high, you want to know that the protocols have been vetted and that the people employing them know what they are expected to do. Tabletop exercises ensure that plans can translate to reality when it counts. They give everyone a chance to think specifically about a potential incident occurring in the particular setting of their organization. TTX make the vague and general, concrete and specific—and increase the likelihood of success should the worst occur.

Who Should Be Involved in Tabletop Exercises?

Who to involve in an TTX depends on the structure of a specific organization but generally they involve two groups: IT team members and cross-organizational personnel. The difference between who to include depends on the purpose of the exercise. For example, a CISO may use an exercise to prepare the blue team to respond to a specific breach or may use an TTX for a purple teaming training. Another purpose may be to educate constituents across the organization on the cyber incident response plan and what their roles might be in helping identify an issue or contain the damage.

Any successful incident response requires that everyone involved understands their responsibility. Tabletop exercises are an inexpensive way to train people and test procedures. Whether the goal is to stretch the cybersecurity team to grapple with the threat of the latest bad actor or to emphasize the importance of security protocols for those in other parts of the organization, running scenarios with small groups helps pool collective ideas and gain buy-in. The key is to keep the group small enough that everyone can participate.

When Should You Conduct Tabletop Exercises?

A successful TTX will require a facilitator who has spent some time carefully setting up the hypothetic scenario to test the plan and the people who need to enact it if the scenario comes to fruition. An involved tabletop exercise can take months to prep. Just like large scale external red team engagements, an involved TTX that is testing a comprehensive incident response plan can be time consuming.

However, TTX can also be run less formally and more frequently. In fact, a focused tabletop exercise that covers a very specific scenario or a portion of a plan can be very effective. Running TTX on a regular basis can become part of a security program lifecycle ensuring that plans, protocols, and procedures are not just created but practiced and always up to date.

Where Do You Conduct Tabletop Exercises?

Tabletop exercises are conducted around a table, obviously! Yes, little more than a table is necessary to make these trainings successful. That’s the beauty of TTX: They don’t require much. The point of these exercises is to talk, argue, and come to agreement on how best to handle a crisis. Since you don’t need equipment, you can conduct TTX in any conference room that fits your group.

But what if you can’t meet in a room with your colleagues right now? You can also conduct tabletop exercises virtually with meeting software. Like most meetings, virtual isn’t quite the same as sitting in the same room together, but the benefits of conducting TTX regularly and especially in times of many potential threats outweighs the downsides of the medium. And you can use the recording feature to easily capture the discussion for documentation purposes.

How Do You Conduct Tabletop Exercises?

Tabletop exercises are an inexpensive and efficient way to practice implementing incident response plans or to hash out a response to the latest technique. Conducting them well isn’t rocket science, but it does require planning and follow up. Keep in mind these steps for hosting effective TTX:

  1. Determine the objectives.
  2. Devise a scenario that can meet those objectives.
  3. Set the scenario in a real-world narrative.
  4. Plan session logistics. (Don’t forget the food!)
  5. Document the outcomes of the session.

The last step is probably the most important. All the talking and strategizing isn’t worth much if the conclusions aren’t recorded and acted upon. Sharing the key outcomes with leadership is also a smart move to keep communication channels oiled. Communication is, after all, the main point of tabletop exercises. This simple tool can assure all constituents work together and do their individual part to respond to whatever cyber crisis comes.

Practice makes perfect your cyber incident response plans.

Check Out Our Latest Posts