One way for organizations to test their cyber defense capabilities is through cybersecurity drills. These drills can take the form of penetration testing, phishing simulations, live-fire exercises, or tabletop exercises. Tabletop exercises are low-cost and low-tech, generally involving a facilitator laying out a cybersecurity scenario for employees to discuss and act through. The demand for tabletop exercises has grown significantly in recent years, driven by compliance issues, board directives, and cybersecurity insurance mandates.
According to Mark Lance, vice president of incident response at GuidePoint Security, employees often request tabletop exercises to help educate executives on the true impacts of a potential cyber incident. The Center for Internet Security also promotes tabletop exercises, claiming that they help organizations better coordinate business units in response to an attack and identify critical roles during and after an attack. The US Cybersecurity and Infrastructure Security Agency provides packages to help organizations get started on conducting tabletop exercises.
Typically, during a tabletop exercise, the facilitator leads a discussion by asking a series of questions based on a hypothetical scenario. The discussion can vary based on whether the participants are IT teams or executives. Some scenarios may focus on widespread problems, such as ransomware and phishing attacks, while it is important for individual tabletops to be specific to the organization or its industry to be successful.
It is beneficial to run separate tabletop exercises for an organization’s senior leadership and technical teams. Executives often want to discuss companywide issues and high-level decisions, while technical teams focus on the nitty-gritty of stopping and mitigating an attack. Realistic scenarios are essential for the success of a tabletop exercise, and facilitators must work to keep participants engaged throughout the discussion.
Curtis Fechner, cyber practice leader and engineering fellow at Optiv, emphasizes that participant engagement is the biggest factor in the success of a tabletop exercise. It is important for the facilitator to keep the participants engaged and actively lead the discussion throughout the exercise.
At the end of a tabletop exercise, participants should discuss the lessons learned and areas for improvement. The exercise should be seen as an opportunity for continuous improvement in cybersecurity practices. Facilitators can use the feedback from participants to identify opportunities for growth and improvement.
It is also important to ensure that tabletop exercises are relevant and tailored to the specific client organization. This helps to keep the participants engaged and ensures that the exercise provides a level of authenticity and validity. Realistically, the goal of a tabletop exercise is to expose opportunities for growth and improvement in cybersecurity practices. If participants leave the exercise with a better understanding of their incident response plans and areas for improvement, the exercise can be considered a success.