Cybersecurity Tabletop Exercises: Why Invest in a Workshop
Having an incident response plan (IRP) for different scenarios is essential, and most companies realize as much.
But simply creating a plan isn’t where the task ends:
- How do you know your incident response plan is fit for purpose?
- And how do you stop it from feeling like something that’s entirely hypothetical, leaving it ultimately gathering dust in a corner of your company intranet?
The answer may lie in regular and effective tabletop exercises (TTX). When was the last time your team did one?
What is a tabletop exercise in cybersecurity?
Tabletop exercises test how well your employees understand your incident response plan for different scenarios, and how they’d react as the situation changes.
So let’s say we’re testing what to do in the event of a ransomware attack.
The incident response plan says the CIO should be contacted and brought into the building immediately.
But who is meant to contact them?
And what if the company’s communication channels have been compromised?
Or what if the CIO is looking after their children, and can’t come into the building?
What if they just aren’t picking up the phone?
Through tabletop exercises, teams take a rough ‘plan A’ and work it through point by point, identifying gaps and running through alternative scenarios until they have a plan B, a plan C, and so on.
What does a tabletop exercise actually look like?
So let’s be clear; tabletop exercises can technically take any form you want.
They could be as simple as starting a team call with a quickfire IRP icebreaker, or setting your team up for half an hour of gaming on Backdoors & Breaches.
In fact, we’d recommended running multiple informal tabletop exercises a year.
But at least once a year, most companies should bring in an expert to facilitate a properly structured tabletop exercise workshop.
The facilitator will have their own approach and suggestions for how this will run, but they’ll typically use one or a combination of the following kinds of tabletop exercises:
- Decision-based
- Scenario-based
- Game-based
- And roleplay
They’ll test incident response plans tailored to specific circumstances, such as ransomware tabletop exercises, data breaches (leaks), phishing attacks, and even physical security breaches.
These workshops typically take half a day and tend to work best in person, but it’s also possible to hold them virtually.
After the workshop, the facilitator will write up a report of their findings and suggestions.
Why bring in an external facilitator?
In theory, you don’t actually need an external facilitator to run these workshops – but it definitely makes for a better outcome.
You can liken it to a couple attending marriage counseling sessions; when it comes down to it, the therapist is just facilitating a conversation.
But would the couple reach the same breakthroughs without them? Probably not – partly because they’re not asking the right questions, and partly because an impartial third party helps keep things moving in the right direction.
And of course, the facilitator is a cybersecurity expert, so they can use their own experience to help plug gaps in your plan, and promote best practices.
There can be more ‘official’ reasons to bring in an external facilitator, too.
Some security frameworks – including SOC 2 – stipulate how often you should be testing your incident response plan, and frameworks may also include guidance on how this ‘testing’ should look, and who should be involved in it.
Why do tabletop exercises work?
Tabletop exercises are nothing new, but they do align with cybersecurity’s current focus on making humans part of cybersecurity design.
Human-centric cybersecurity (HCC) design essentially helps to incentivize secure behavior in non-technical users within an organization, rather than simply dictating how they should behave, or relying on technology to curtail their habits.
But with or without human-centric cybersecurity design, things still go wrong, and incidents still happen. Tabletop exercises get the whole team invested in the incident response plan because they all have a part to play in working out the kinks.
And even when you’re working with technical folk, the core truth remains; everybody learns better by doing. Tabletop exercises should get the participants pretty close to feeling like they’re running through the scenario in real life.
Who should be involved in tabletop exercises?
Who should be involved in tabletop exercises looks different from company to company; some will only bring in their IT and/or security teams, while others might opt for a cross-section of the company. Ultimately, it’s up to you, and your incident response plan.
How do I get my leadership team on board?
A large proportion of our experts’ tabletop exercise engagements come directly from the C-suite. But if you’re a CISO or IT manager looking to convince your board members of the value it offers, where should you start?
1. Highlight the link to compliance
Non-technical board members won’t always understand or appreciate the intricacies of security best practices, and how much it all costs.
But compliance? That’s something that will quickly get their attention – even if it’s further down your own priority list.
Splunk’s CISO Report highlights how CISOs and boards have a different perspective on what cybersecurity (and CISO) success looks like; only 15% of CISOs picked ‘Regulatory and compliance status’ as the main indicator of success, versus 45% of board members.
2. Focus on the ROI
Ultimately, you’re not convincing your board to spend money on something; you’re convincing them to invest in something.
When an incident does happen (notice we say ‘when’ rather than ‘if’), every second counts – and every second costs. Come to the boardroom armed with stats to support this.
3. Mention improved cross-team collaboration
Having representatives from multiple different teams can improve understanding between departments, which can in turn compound into better collaboration outside of the workshop.
The honest discussions during tabletop exercises promote understanding and empathy between IT teams and other departments, improving communication and relationships across the company.
How much does a tabletop exercise workshop cost?
Our vetted, experienced cybersecurity experts can deliver a tabletop exercises workshop from $15,000, with this price increasing for custom requests and travel requirements.
Beware of larger companies charging exorbitant amounts for this type of work just because of their name; our experts have spent years working within the field at a high level and will deliver your tabletop exercises according to any requirements dictated by your security framework.
How do I get the most out of a workshop?
Once you’ve decided to invest in facilitated tabletop exercises, it’s time to prepare so you can get the most out of your time.
Here are a few ways to do that:
- Make sure all the relevant people will be available
- Create a safe, comfortable space, where people will feel comfortable discussing topics in depth together
- Together with your facilitator, establish a clear objective for the day
- Make sure your team are more or less familiar with the existing incident response plan (so you don’t waste valuable time catching people up on what it is)
Ready to refine your incident response plan?
We’ll match you with a vetted cybersecurity expert with experience running productive tabletop exercise workshops within your industry. Get started by telling us a bit more about your needs. Find out more.
Subscribe to receive the latest blog posts directly to your inbox every week.
By subscribing, you agree to our Privacy Policy and Terms of Service.
