Anatomy of an Effective Tabletop Exercise

Your enterprise has just been breached -- do you already know what you are going to do? Or will you flex your incident response muscles for the very first time during a real-life crisis?  

Tabletop exercises give enterprises the chance to walk through a breach and stress test the response. But not all tabletop exercises are created equally. Generic templates can help organizations get started, but they likely do not capture the specific risks and attack surface of an individual enterprise. Mature organizations go further. 

“They understand the business context behind the scenario and what threat actors would really go after in their environment,” says Robert Boyce, global cyber resilience lead at professional services company Accenture.  

How can security leaders develop and implement tabletop exercises that strengthen cyber resilience?  

What Exercises and When? 

Tabletops are a type of cybersecurity drill that test how an organization would respond to a specific incident. Any enterprise -- small, mid-size, or gargantuan -- is a potential target for cyberattacks, which means any enterprise can find value in tabletops.   

“If you're looking at north of a few dozen to a couple of hundred employees it's really important to … walk through this and understand who's taking what roles and responsibilities,” Aaron Shaha, CISO at managed detection and response company CyberMaxx, tells InformationWeek.  

Related:10 Ways Employees Are Sabotaging Your Cybersecurity Stance

Some potential threats, like ransomware, are valuable tabletop scenarios for any organization to run through, but security leaders also need to consider cyberthreats specific to their industry and their organization. A pharmaceutical company and a manufacturer, for example, are going to face different cybersecurity threats and regulatory requirements that can be used to shape the most impactful tabletop exercises.  

An integral part of a cybersecurity leader’s job is staying abreast of the latest threats. And they can help educate and prepare enterprise teams for these threats, in part, through tabletops.  

“One of the hottest topics that organizations are asking about running tabletops for [is] deepfakes,” says Boyce.  

Enterprises could conceivably run a nonstop tabletop schedule in an attempt to keep up with the vast and ever-expanding threat landscape. But time and resources are not infinite. How often should organizations run through tabletop exercises?  

“This is not a world of unending resources,” says David Beabout, global CISO at cybersecurity company NTT Security Holdings. “We need to make good use of the time [when] we do take people away from their normal functioning work.” 

Related:The Most Crucial Elements of Any Cyber-Resilience Testing Plan

Some enterprises may use regulatory requirements to determine a tabletop schedule, conducting exercises once or twice a year. While that cadence may be sufficient for some organizations, simply checking the box and running the same exercises on an annual or semi-annual basis may not be the most effective strategy.  

Boyce recommends segmenting tabletop exercises. “You can build the storyline on an annual basis,” he explains. “Say, ‘Here are the … three different scenarios we're going to test this year, and here's how we're going to test them. This month it's going to be finance and marketing. Next month, it's going to be legal and compliance.’” 

Dividing tabletop exercises like this reduces the burden on individual teams; not everyone participates every time. But it allows an enterprise to take a holistic approach to testing incident response in specific situations.  

While tabletops are often an expected event on the calendar weeks, or longer, in advance, some enterprises may opt for a different approach. 

“I've also in rare cases seen incident response teams do … snap tabletop exercises where they are they're trying to test … the resilience or the adaptability of the team. So, a little bit of planning up front and then the straight into it to see how they handle an almost unexpected incident,” John Price, CEO of cybersecurity testing and advisory services company SubRosa, shares.  

Related:Measure Success: Key Cybersecurity Resilience Metrics

Structuring a Tabletop 

What does a good tabletop exercise look like? 

“They're not limited by anything other than the imagination or the interest in having them be a key part of the ability to execute the scenarios that you want to test and what the organization, the stakeholders want to have in terms of an outcome,” says Beabout.  

While there is a large degree of freedom in planning out a scenario to test, security leaders need to consider cost as well. A typical tabletop exercise could cost $30,000 to $50,000. The cost is dependent on the scope, stakeholders, and time involved. Smaller scenarios with fewer technical components will be less expensive.  

“If you're looking to have a big one, where you've got multiple players and multiple pieces, multiple levels of the organization, those are not going to be able to be as frequent, but you can test subcomponents and smaller sections more frequently and that's probably more cost-effective,” says Beabout.  

The more elaborate the scenario, the more preparation it will take in advance. A tabletop that brings together multiple stakeholders and runs over the course of several days could take weeks or even months to plan. A smaller exercise that tests the response of a single team and lasts for a few hours can be planned on a much shorter timeline.  

For larger enterprises, CISOs and their teams may take point on developing tabletop exercises. Organizations without the internal resources may tap a third party to evaluate their risks and develop appropriate exercises.  

A real-life response to a cybersecurity incident is going to require participation from a multitude of stakeholders: security, IT, legal, communications, compliance, C-suite, and the board among them.  

Tabletops can be broken down by team. For more in-depth exercise, multiple teams can coordinate.  

“In today's work from home environment … a lot of companies [and] teams don't get a good opportunity sometimes to sit down and collaborate on things, kind of war game things out,” says Shaha. Tabletop exercises can be that opportunity to connect and, at least temporarily, break down some of the siloes that tend to form in enterprises. With the ability to connect virtually, key tabletop participants don’t even have to be in the same room during the exercise.  

Organizations may even consider looping in external stakeholders, such as law enforcement or forensics teams, that will play pivotal roles in responding to a cyberattack or breach.  

Tabletop scenarios can be run in myriad ways. Beabout has seen exercise leaders use a roll of the dice to determine what level of information participants receive about the threat scenario. The higher the roll, the more information. The roll of the dice mimics the uncertainty and often incomplete picture that comes during a real-life incident 

Some tabletop leaders may even decide to remove a key stakeholder to see how a team would react. “If we really want to test the ability of the organization, the CISO or the security leader can be absent to see what happens,” says Beabout. 

An enterprise’s teams, attack surface, and business risks are not static, which means tabletops shouldn’t be either. “If you [don’t] adapt and continuously improve your processes, you are stagnant, and at some point that could come back to bite you when you actually have an incident,” says Price.  

Finding Value in Tabletops 

Tabletops do take people away from their day-to-day responsibilities. Yet another meeting can feel like an imposition, but if framed and executed the right way, they can be very valuable exercises.  

Communication among the participants is essential, and often that communication requires a degree of vulnerability.  

“There's a lot of fear of from people … especially if the C-suite is in there and they're a lower-level employee. ‘I don't want to look dumb in front of the boss,’” says Shaha.  

As a tabletop facilitator, Shaha aims to lead with some vulnerability by assuring everyone involved that even with all of this experience, he doesn’t have all of the answers. Leaders showing some uncertainty can open the door to more open, productive conversations while moving through these exercises.  

Tabletops test hypothetical scenarios; they do not have the same sense of urgency or stress that a real-life incident will. But they can still be a useful tool for recognizing how team members might react during an actual event.  

“Some people are good under pressure,” says Shaha. “Even though you're not really pressure testing the system in a tabletop, you can kind of get that vibe: who's going to be helpful, who's not, what certain people’s strengths are.” 

Gaps in an organization’s incident response plan often become readily apparent during a tabletop exercise. If someone does not know what their role is, that will be clear.  

While recognizing those gaps is important, Boyce often finds that organizations don’t adequately follow up after making those discoveries during a tabletop. “Making sure [it’s] someone's responsibility and then retesting it to make sure that fix we had actually fixed the problem is super important,” he says. “I do not see many organizations actually do the validation of the fixes or the items that needed to be changed to make sure they're still working.” 

Finding, fixing, and validating the fixes for potential gaps in incident response are positive outcomes from tabletop exercises, but there is also value to be found in the human element.  

“Tabletops are not necessarily always about finding weaknesses. There also are opportunities in tabletops to find new ways of doing things that were not evident before because these people hadn't all been working together,” Beabout points out.  

Ultimately, tabletops are just a piece of a cybersecurity strategy that prioritizes enterprise resilience. “So, it's a definitely a very significant piece of the puzzle, but for anyone … looking at … the whole puzzle there're a lot more components that have to tie into that,” says Price. Enterprises also need the right detection technology, vulnerability scanning, and team training.  

Inside a Real-World Tabletop 

What would happen if a malicious insider took over an executive’s X (formerly Twitter) handle to spread false information? Boyce was a part of a tabletop that tested the C-suite of a pharmaceutical company with that scenario.  

This exercise was a business-focused scenario rather than a deeply technical one. It unfolded almost like a play, with separate acts and scenes. The exercise organizers even had a prerecorded newscast to make the experience as immersive as possible.  

“The video was a newscaster talking about their company and what happened and their share price going down,” Boyce shares. “You could see immediately it wasn't fake for them anymore. They were there. They were present.”  

As the executives moved through the scenario, they discussed how they would engage with various teams in incident response, how they would communicate with regulators, and how they would talk to the media.  

Boyce emphasized the importance of pushing tabletops beyond the realm of simply flipping through the pages of a written-out scenario and checking a box.  

“In the midst of a crisis, you need the emotion. You need [to be] immersed into that experience, and so we just find, especially for executives at that level, pushing them into the experience is super helpful,” he says.