What Makes a Tabletop Exercise Successful?

What Makes a Tabletop Exercise Successful?



We all remember fire drills from our school days. In addition to being a welcome break from the monotony of math, fire drills serve an extremely important safety purpose. It prepares the administrators, teachers, and students for what to do in the event of a real life-threatening emergency.

A data breach, while not life-threatening, is business-threatening, and deserves its own preparation. In Incident Response Planning, these fire drills are called “Tabletop Exercises.”
The goal of the Tabletop Exercise to simulate an emergency scenario. This preparation beforehand gives several benefits: first, it allows the involved participants to practice working together as a cross-functional team; second, it gives the ability to practice various scenarios in a lower stress environment, and; third, it allows gaps in an incident response plan to be found out ahead of time, allowing revision and improvement.

It is important to involve the right people in a Tabletop Exercise. In order to properly prepare, all individuals who would be called upon in a particular scenario should be involved in the practice scenario. In many organizations, this would include Information Technology, Security, Executives, Legal, HR, and Public Relations.

There are an enormous variety of scenarios that can be involved in a Tabletop Exercise. Some are geared towards the technical staff while others are geared toward legal and management. Among some of the more common scenarios are: 1) someone losing a device (such as a laptop or mobile phone) that contains sensitive data, 2) ransomware has been found on the network and documents in the network share are inaccessible, 3) a state-sponsored entity has obtained unauthorized access to your network and has access to your trade secrets, 4) someone in HR fell prey to a spear phishing attack and unknowingly sent all employee W2’s out into the black market, and 5) a prolonged outage has occurred with a cloud services provider who hosts a critical business application.

The details of the scenario and the goals of the exercise should be clearly defined. Of course, goals can include determining the details. For example, a scenario could involve an executive leaving her laptop in the back of a taxi. At the onset, the details of what data was present on the laptop may be unknown. Therefore, determining the details of what was on the laptop is a critical early goal of the exercise. In other words, some details must be “discovered” rather than simply “defined”.

Execution of the Tabletop Exercise needs to have ground rules. The individuals participating in the exercise should refrain from getting into the “blame game” or engaging in finger pointing. In a real emergency, teamwork is going to be a valuable asset. Establishing and enforcing these ground rules in the course of the Tabletop Exercise increases the chances that fluid teamwork will dominate when the real crisis occurs.

Every Tabletop Exercise should include thorough follow-up. It is important to review the exercise after it is complete. Evaluate what went well and where there were problems. Problems could include gaps in leadership, gaps in information, gaps in planning, or gaps in communication. Any gaps found should result in steps to remediate the problem. The gap, the analysis, and the solution should be documented. The formal Incidence Response Plan should be updated appropriately to reflect the solution.

Seek feedback from all participants. Every person involved in a Tabletop Exercise has valuable feedback on what worked well, what didn’t, and what should be done differently during the next exercise. Consider sending surveys out to participants and engaging in follow-up discussions where warranted.

Any organization serious about being properly prepared for a cybersecurity incident must make Tabletop Exercises a regular part of their preparation. Consistently engaging in these high-tech fire drills will help your team be as ready as possible when a real crisis occurs.