8 Reasons to Schedule a Tabletop Exercise

Article Incident Response

You don’t need to consult a Magic 8 ball to ask whether your organization will be faced with a security incident or breach. If you did, the answers could vary between, “It is certain,” “You may rely on it,” “Outlook good,” “Signs point to yes,” “Yes”… you get the point. The question has always been not if, but when, so it is important to not only have good cybersecurity controls and processes in place, but to practice how your team will react and respond to an incident when it occurs.

The best way to do this is by performing a tabletop exercise where team members walk through a potential scenario or incident in a low-stress environment and discuss the actions they would take. The exercise will test the current incident response plan (IRP) and identify additional mitigation and preparedness needs.

Below are 8 (magical) reasons why organizations should be implementing regular tabletop exercises into their information security strategies.

  1. Identify Gaps in Your Plans

    Organizations can use tabletop exercises to test their incident response and business continuity plans and identify any weaknesses or areas that require improvement. For example, a common gap identified during these exercises is that organizations fail to account for necessary actions that should be taken if a third-party partner is breached. After the exercise, the participants can evaluate lessons learned and then use that information to update the IRP and revise procedures as necessary.

  2. Decision-Making

    Tabletop exercises provide an opportunity for participants to practice their decision-making skills. The exercise allows them to analyze a potential scenario, discuss options, and make decisions in a controlled environment. The exercise might also help determine who has the authority to make decisions and if others should be granted authority in the event a critical staff member is unavailable during an incident. Practicing ensures team members will have the ability to make informed decisions during a real crisis.

  3. Improved Communication and Collaboration

    Exercises are a great way to foster collaboration across different departments and stakeholders within the organization. Participants can better understand each other’s roles and responsibilities and therefore improve coordination during emergency situations. The exercise will also reveal any gaps in communication, missing contact information, call lists, etc.

  4. Training Opportunity

    A tabletop exercise is an excellent opportunity to train staff members and improve awareness about potential types of incidents that may occur. The exercise also ensures participants are aware of incident response procedures and protocols, understand how and when to activate the incident response plan, escalation points, etc. With so many organizations experiencing turnover and a reduction in the workforce, staff workloads are increasing and it is critical for team members to have a clear understanding of internal processes and their individual roles.

  5. Identification of Resource Needs

    An exercise might highlight missing resources, equipment, or technology needed to respond effectively to a potential incident. Having a better understanding of these needs prior to an actual incident can help organizations plan ahead and allocate resources more effectively. For example, if a malware incident required 400 workstations to be re-imaged, how quickly could the team perform this task? What if the machines were allocated to remote workers? Could your organization pull in outside resources for assistance?

  6. Identify and Prioritize Risk

    Tabletop exercises allow organizations to identify potential risks and vulnerabilities and assess the likelihood and impact if their organization were to experience a real-world scenario. This process can help senior management make decisions and weigh how much risk is acceptable versus the costs of reducing that risk. Exercises can also help ensure critical services are covered in planning and identify thresholds for decision-making based on the type of sensitive information involved, systems impacted, users, etc.

  7. Testing Communications

    Effective communication both internally and externally to customers, staff, students, etc. is critical during an emergency situation. A cybersecurity tabletop is a great opportunity to test communication systems, as well as define messaging that will be sent to impacted users or the community-at-large, outline protocols for talking with media, etc.

  8. Maintain Compliance

    Organizations may be required to demonstrate response capabilities in order to meet requirements for specific compliance regulations (i.e. GLBA, PCI DSS, HIPAA, etc.). Tabletop exercises allow the institution to demonstrate their commitment to response planning and preparedness.

A walkthrough of a potential breach or incident within a controlled environment is critical to improve response capabilities and can be a low-cost activity with high benefits. The overall goal should be that when an incident occurs, your organization is able to recover and resume operations as quickly as possible.

If you would like to discuss options for having CampusGuard facilitate a cybersecurity exercise with your teams, connect with your dedicated Customer Advocate team to review possible scenarios and next steps or contact us to get started.

Additional feedback from one of our Security Advisors:

[Bivens]: The beauty of a tabletop exercise (TTX) is that you can really torture-test your plans and procedures against highly unlikely—but highly impactful—scenarios, and you can do it in a low-cost, no-impact setting.

For example, if your test scenario simulates a ransomware attack and your staff is working the plan well, why not make things more interesting by allowing the “ransomware” to take out the VoIP telephone system? The players can then work through finishing the incident response using only cell phones, Teams/Slack/etc., and instant messaging. Does everyone know everyone else’s phone number? Where is the contact list? Is there a printed copy available? Is it up to date?

The complications you inject into the TTX should be customized for your organization and environment and can identify weak points in your plans so you can address them before your plan is needed in real life.

It’s important to strike a balance between a scenario that’s too simple, linear, and uncomplicated, and one that’s overcomplicated to the point your players just throw their hands up in frustration and tune out.

The best simulations are the ones that mimic a real emergency, keeping your players busy without beating them up.

When you do that, the TTX is enjoyable, everyone benefits from its lessons, and your players want to come back for the next one.

Besides, you can always have the database server rack catch fire next time, right?


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.