How To Conduct a Security Tabletop Exercise

By: Charles Brandt
April 17, 2024

Companies facing the daunting task of containing and recovering from a disaster are often caught off guard by the many non-technical aspects of incident management. Conducting preparation exercises for high-threat scenarios — also known as tabletop exercises — can help companies minimize the impact of any and all potential threats.

In this blog, I’ll lay out the essential steps for preparing your company's first tabletop exercise and offer some pro tips to make it as effective and illuminating as possible. 

What Are Tabletop Exercises in Security?

lively-office-meeting

In a tabletop exercise, key personnel will discuss and work through a hypothetical security incident in a relatively informal, low-stress environment. 

The main goals of these tabletop exercises include:

  • Identifying any weaknesses in existing incident response plans (IRPs), procedures, and protocols 
  • Providing an opportunity for participants to become familiar with their roles and responsibilities during an incident
  • Facilitating better coordination between various departments 
  • Allowing participants to practice making quick decisions and becoming familiar with the process  without the pressure of real-world consequences 
  • Uncovering limitations, misaligned recovery expectations, potentially undocumented risks, and business continuity impacts
  • Identifying undocumented high-value assets and dependencies

Cybersecurity Tabletop Exercise Tips

Most cybersecurity professionals would recommend that you conduct a tabletop exercise at least annually. However, if you’re in healthcare or finance, or your business supplies critical infrastructure, regulations may require you to do them more often. You should also have another tabletop exercise after a significant change to your personnel, systems, infrastructure, or processes. 

I’m sorry to be the bearer of bad news, but if you’ve recently experienced a cyberattack, you’re likely to be targeted again. So if you’ve recently experienced a cybersecurity incident, it’s a good idea to conduct another exercise. 

Pro Tip: Make this process a safe space to raise concerns, ask questions, and challenge assumptions. These exercises aren’t just for the purpose of demonstrating what everyone already knows. Participants should be encouraged to say what they’re thinking and support each other through the process. It’s also a great way to reduce tension and build trust in each other…which will be extraordinarily useful in the event of a real-world attack. 

How To Conduct an Incident Response Tabletop Exercise

digital tablet checking boxes

If this is your first time coordinating a tabletop exercise, first off, I’d like to thank you! Too many organizations — especially small businesses — underestimate either their risk or the effectiveness of prevention. If you’ve researched this topic, that means you’re already ahead of the curve! Here’s how to make your very first incident response tabletop exercise a success. 

1. Define Your Objectives and Scope

Many businesses rush past this, but clearly articulating the objectives and scope of your tabletop exercise is key. 

Tabletop exercises aren’t just about running scenarios; they’re about aligning these simulations with specific threats your organization might face. By defining clear objectives, you’ll provide a strategic framework for the exercise. 

Pro tip: Consider tailoring scenarios to mirror real-world threats in your industry to boost engagement and offer your participants more relevant experience. 

2. Assemble a Cross-Functional Team

Many companies hand over tabletops solely to their IT teams. While IT teams testing their processes in-depth can be very valuable, I encourage companies to ensure that they have identified a cross-functional team in their incident response plan and that this team participates in scenarios together during tabletop exercises.

Each team member will bring a unique perspective, contributing to a comprehensive and effective response strategy. Each stakeholder group will have different priorities and understand their department’s process dependencies. Taking a multidisciplinary approach ensures that the exercise reflects the collaborative efforts required in a real cyber incident. So make sure you include diverse expertise by including representatives from cybersecurity, IT, legal, human resources, communications, and executive leadership. 

3. Select and Develop Scenarios

Choosing scenarios that mirror real-world threats in your industry is crucial for a meaningful exercise. Develop detailed narratives for each scenario, including triggers and potential consequences. By tailoring scenarios to your organization's specific context, you create a realistic environment for participants. This approach enhances the relevance of the exercise and allows your team to engage deeply with the challenges presented, as recommended in your IRP.

Need an example of a detailed narrative? CISA authored the following scenario: 

Michael, a senior accountant, gets a call from the company’s bank. The bank representative is confirming that they successfully transferred $50,000 to one of their existing vendor’s new offshore accounts. However, the second payment of $150,000 failed because of insufficient funds. He wants to know how to proceed. 

Michael did not initiate either transfer, and he does not know about any offshore accounts for any of their vendors. He is the only person authorized to transfer funds.

Find more scenarios and tips from CISA through the link below! 

Pro tip: Real-world incidents don’t always happen all at once! Many times, they start with small indicators and then gradually begin to show how large the issue might actually be. These updates along the way, called “injects” in tabletop exercise lingo, can help the selected scenario feel more realistic.

 Get CISA Tabletop Exercise Packages

4. Establish an Exercise Timeline

A well-structured timeline ensures that participants have the opportunity to immerse themselves in the exercise without feeling rushed. It also allows for a comprehensive debriefing session, essential for extracting valuable insights, as per your IRP. 

Pro tip: Consider the complexity of your scenario and the availability of your participants. Make sure to allocate enough time for them to prep, go through the simulation, and analyze what worked and didn’t. 

5. Communicate Expectations to Participants

To perform at their best, participants need to be well-prepared and understand the significance of their roles. So be sure to clearly communicate the purpose, goals, and expected outcomes of your exercise, and provide any relevant background information and resources that may be relevant to the communication protocols outlined in your IRP. 

6. Conduct Pre-Exercise Training

Training sessions can create a level playing field, especially if participants have varying levels of familiarity with incident response procedures. So before diving into the tabletop exercise, familiarize participants with the process and their roles, the risks you are trying to address, a general overview of the incident response lifecycle, and the like. Coordinating schedules takes time and a commitment from multiple departments, so effective pre-exercise training can help you go deeper into the exercise.

7. Prepare Simulation Materials

Well-prepared materials will help participants fully engage with the simulation as they respond to various challenges. 

Your materials should include: 

  • Materials that outline the who, what, and where of the scenario
  • Injects (updates to the scenario that advances the “plot”)
  • Your current incident response plan

Find a textbook example (literally) of a scenario involving drinking water, plus supplemental materials, here

8. Facilitate a Kickoff Meeting

question-during-meeting

The kickoff meeting is the starting point for building a positive and constructive atmosphere. It establishes a sense of unity among participants, fostering a collaborative mindset essential for effective engagement.

In your kickoff, make sure to review objectives, introduce participants, and address any questions. Emphasize collaboration and open communication throughout the exercise, mirroring the collaborative approach advocated in your IRP. 

9. Run the Tabletop Exercise

This step requires skillful orchestration to ensure that participants are fully immersed in the scenarios, responding authentically to the challenges presented. Encourage active participation from all stakeholders, stick to your predetermined timeline, and introduce injects strategically to prompt additional responses. 

Make sure you assign a dedicated team to document observations and gather feedback during the exercise. This information will be exceptionally valuable for your next steps and can highlight areas of strength and areas for improvement. 

Pro tip: Having a third party lead the exercise can help the discussion stay on track and also remain more objective. If this facilitator has a solid professional background, they will also be able to help your company identify gaps, illustrate best practices, and answer questions.

10. Debrief and Document Lessons Learned 

The debriefing session is a critical component of the tabletop exercise. It allows participants to reflect on their actions, share insights, and collectively learn from the experience. In your debrief, be sure to discuss participant experiences, challenges, and lessons learned. Then, identify areas of success and where improvement is needed. 

Finally, compile a comprehensive list of lessons learned from the tabletop exercise. Use this information to refine incident response plans and enhance organizational processes, aligning with the documentation and review processes outlined in your IRP. 

How Tabletop Exercises Enhance Operational Continuity

coworkers-putting-hands-together

Preparing for tabletop exercises goes beyond fortifying your organization's response to cyber incidents; it significantly contributes to ensuring operational continuity. By simulating potential disruptions and testing response protocols, businesses can identify vulnerabilities in operational processes and develop robust strategies to mitigate risks.

What To Do if You Discover Hidden Risks

After you run your first tabletop exercise, you may discover that your organization is more vulnerable to a particular cybersecurity incident than you previously thought. While that’s not exactly welcome news, it’s always better to find that out before something bad actually happens. That’s exactly why tabletop exercises are so valuable!

In 2019, it might have been perfectly reasonable to bolster your defenses over a longer period of time. But in 2024, we don’t have that luxury. If you need to step up your cybersecurity quickly, or you’d like to make your next scenario much easier on your staff, it might be time to work with a Chief Information Security Officer (CISO). That level of talent isn’t always accessible for small to midsize businesses, which is why we’ve started offering IT consulting services. Marco’s virtual CISOs — aka vCISOs — are well-versed in running tabletops that cover a wide range of scenarios.

Click the link below to browse our vCIO and vCISO options! 

Explore IT Consulting Services Learn More

Topics: Security