Cybersecurity Crisis Response Tabletop Exercises – What Works, What Does Not, and Where it Can Really Go Wrong

When a cybersecurity incident hits, it is no surprise that organisations tend to fare better if they have prepared and practised their cybersecurity crisis response plans in advance. Tabletop exercises play an invaluable role in an organisation’s overall cybersecurity preparedness programme. In addition to the benefit of helping bring hypothetical crises to life, regulators expect, and – depending on the jurisdiction – may even require organisations to conduct cyber training and tabletops. Cybersecurity insurers have joined the bandwagon, encouraging, if not requiring, such exercises for their insureds as a prerequisite to coverage.

While having plans on paper is important, it is equally important to practise working cross-functionally, escalating key issues, making decisions and managing a large volume of inquiries and competing priorities during a cyber crisis. Tabletops and simulations give teams a front row view into how incident response plans function or fall. Until plans are pressure tested in the most realistic ways possible, they remain somewhat academic exercises. There is a feeling that comes with seeing a company’s name and a countdown clock on a mock threat actor shame site that simply brings a plan to life. And while preparedness plans are typically developed in a small working group without the executive teams, tabletop exercises can bring the executives to the table and provide valuable insights into the way they will respond to an active cyber crisis.

Is the CEO a dealmaker, inclined to dive into negotiations with a ransomware group to extract the best possible value for a decryptor tool and/or suppression of exfiltrated data? Are they fuelled by patriotism, ready to stand their ground and refuse to pay cyber criminals because they  “do not negotiate with terrorists”? Or are they a pragmatist, inclined to take the temperature of their executive team and the counsel of veteran advisors? The answer to these questions and many more can (and should) be learned in a tabletop before the real crisis hits.

Designing an Exercise – Key Steps to Success

Not all tabletops are created equal, and while most provide at least some value, there are the occasional horror stories of how exercises did more harm than good. To begin, let us consider some of the key attributes of an effective cybersecurity tabletop exercise, and critical steps companies can take to make sure they maximise the leadership’s valuable time and attention.

Meet teams where they are in their maturity journey and create organisation-specific scenarios

Organisations differ in their corporate structure, cybersecurity risk profile, data governance, and crisis experience. An organisation that has an established Incident Response Team (IRT), completes annual tabletop exercises, and has managed their own cyber crises would benefit from scenarios that are more advanced and nuanced – assessing an organisation’s effectiveness in its ability to respond. On the contrary, a company lacking established incident response protocols warrants an exercise that will teach and train, rather than test. Exercises should be tailored to an organisation’s needs and designed to maximise engagement and capture nuances, with consideration given to factors like duration (hours versus days) and format (in-person or virtual) for the most valuable exercise.

Bring the right team together

Given the impact that disruptive cyber incidents, such as ransomware, often have on the overall organisation, and the cross-functional team needed for an effective response, it is important that all individuals who will play a key role in the response have the chance to practice. Cybersecurity incidents are multi-stakeholder in nature; companies should have representation from all key areas of the business, such as operations, legal, IT, information security, communications and HR, to ensure the exercise is realistic and resonates with a wide swath of audiences. While specific team members vary, participants should generally include the IRT, C-suite, appropriate functional representatives or subject-matter experts (depending on the scenario) and potentially even a board member for key moments in time. Teams should consider likely communications pain points, legal challenges, anticipated reactions from key company stakeholders, ownership over workstreams, a process that clearly dictates how communications are approved and distributed, and a triage protocol for managing a large volume of inquiries.

Designate an executive sponsor, a tabletop owner and a good moderator

Tabletops are fantastic training exercises and teaching moments, but ultimately ineffective without an executive sponsor that sets the tone from the top about the importance of the exercise to the organisation as a whole. Likewise, without one or two individuals at the organisation taking ownership over the exercise and driving it forward, key takeaways, areas for improvement and other learnings may go by the wayside. Additionally, when exercise time comes, a good moderator, particularly one from an outside firm, who can bring both expertise and objectivity into the room, helps ensure that the team does not get bogged down by hypothetical details. Instead, conversation should keep flowing with a focus on how teams would work together to respond to various escalations, while moderator facilitates, captures key questions and considerations.

Tap into external expertise

While internal-led tabletops can be effective, as mentioned above, organisations often tap law firms, forensic teams, and/or crisis communications experts to help design and moderate these exercises. Which specific experts to engage depend on the goals of the exercise, but regardless, outside experts bring experience from managing real incidents at scale and can spot gaps in existing plans and identify tested solutions to improve overall response capabilities. Even if the exercise is internal-led, it is often helpful to have external partners engage in the exercise as participants – much like they would in a real-life scenario. Having the people who will be called upon during an incident in the room (or virtual room) helps to build rapport between teams and experts who will all be in the trenches together during a highly stressful situation. Individuals from inside the organisation and external experts typically do not want to be shaking hands for the first time on the same day that the crisis is on the doorstep. And, the importance of having the outsider-looking-in perspective cannot be understated.

Commit to a path forward

Comprehensive cybersecurity preparedness is an ongoing, iterative process that takes continual testing, reassessing, and updating. Programme owners or sponsors should document lessons learned and implement a plan for regular programme maintenance and training. An organisation’s risk profile changes, its personnel come and go, and the cybersecurity threat landscape evolves. One exercise is great, but regular training is better. Companies should not let perfect be the enemy of good. It is important to keep the conversation going and the readiness plan improving.

Done well, tabletop exercises make cybersecurity crisis response teams more prepared and organisations more resilient. By ensuring:

• plans are tailored to the organisation;
• the right people are at the table;
• an effective sponsor takes ownership of the exercise;
• appropriate outside experts are tapped; and
• the organisation commits to a path forward.

Organisations can enjoy multiplying return on investment through these important preparedness exercises.

Putting it Into Action – Where Things Go Wrong

Those are the building blocks of a sound cybersecurity tabletop exercise, and with those five core steps in place, organisations can be assured that they will glean at least a handful of real, actionable insights that will strengthen their readiness – and resolve – when they face the real thing. But can a tabletop actually move an organisation backwards in their preparedness journey? Or can it expose some real deficiencies that cannot be fixed by a few refinements to the plan? The unfortunate answer is yes. Below are a few ways that tabletops can (and have) gone disastrously awry.

• The company brings the right people to the table – and embarrasses them. This sounds like an easy one to avoid – after all, exercises are intended to be opportunities to learn, not tests to try to navigate. Unfortunately, some enthusiastic exercise designers – particularly external advisors who are likely looking for follow-on work – can sometimes fall into the trap of designing no-win scenarios, or scenarios that are intended to elicit “right” and “wrong” answers, rather than facilitate thoughtful discussion. This risk is particularly acute if board members are observing the exercises. There is nothing that a C-suite dislikes more than looking or feeling unprepared in front of their board. Exercises need to be tailored to meet organisations where they are in their cybersecurity maturity journey. When designing an organisation’s first ever cyber tabletop exercise, this should not include a parade of horribles in the injects that leaves legal, communications and IT/information security feeling completely hopeless.
• It is a drill – companies should make sure everyone knows that. Just about everyone knows that slides used for a tabletop exercise should be marked “fictional scenario for training purposes” or something similar. But what about more intricate exercises or simulations that involve sending email injects to participants throughout the day? Those are great, but companies should make sure everyone who will be tapped to play a role knows ahead of time that there is an ongoing exercise. The last thing companies want is for someone to be sent a fictious ransom note and it gets flagged to IT as a real threat and IT ends up disconnecting all or portions of a company’s network in a panic, creating a real business interruption from what amounts to grown up Dungeons & Dragons. While this sounds fantastical, this has actually happened – more than once.
• Gametime is set – and it is called on account of rain. This is less of a case of a poorly designed exercise, and more an indication that an exercise is exposing a fundamental lack of understanding of how real-life cyber crises play out, and why creating realistic exercises is so important. If a tabletop was intended to be conducted in person and there is a sudden snow day, companies should pivot to something virtual. Organisers should not punt an exercise into next month because the weather is inconvenient or the head of HR is out sick. Cybercriminals halfway around the world or sophisticated foreign intelligence operatives do not care that it is not blue skies and sunshine, and the exercise should not either. Companies should be as flexible in their tabletops as they would need to be in a live cyber crisis.

What Success Looks Like – Insights in Action

If companies avoid these pitfalls, they are well on their way to a meaningful, productive exercise. But what does it look like for an exercise to be more than a check-the-box compliance activity, and what kinds of actionable – and potentially unforeseen – insights might come out of a truly excellent tabletop? Below are just a few examples to encourage regular tabletop drilling.

• It is the little things – and they can have major implications. When designing cybersecurity incident response plans – whether they be for information security, legal, communications teams or all of the above – it is virtually impossible to account for every nuance of an organisation’s tech stack and IT infrastructure. The little things often go overlooked – but they can have real world consequences in a live cyber crisis. For example: in a recent exercise, an organisation made the decision as part of its containment and remediation process to conduct an enterprise-wide password reset, without giving much context to its workforce as to why. Subsequently, company leadership realised that many of their business units relied upon a sizeable number of external contractors, and they also had a significant number of employees collocated onsite with their customers. Suddenly, the risk of a leak – and speculation – became much higher, forcing the executive team and communications team to make a decision to distribute an emergency text alert to all staff explaining the need for the sudden password reset. This type of seemingly very trivial nuance is an easy thing to overlook in crisis communications or incident response plans, but can be spotted by thoughtful tabletop exercise participants. It is much easier to come up with a fix for something of similar sorts after a tabletop versus during a live crisis.
• The board is “inform-only” – until it is not. Cybersecurity tabletop exercises can be a great way for a board member or members to observe their management team in action in a controlled environment. And most organisations have boards that intend to take a passive role in incident response, content to receive reports on progress on a regular basis. But this is not a universal truth. In another recent exercise, one organisation learned that while they thought of their board as an “inform-only” stakeholder, the board actually thought of itself as both a “reviewer” and “approver” – in fact, line-editing an 8-K before it was filed with a fictional Securities and Exchange Commission (SEC). Learning this in advance of an incident as a result of a tabletop, makes for a much smoother and faster approval process during a live incident. If this comes up in an exercise, there is time to step away and design a flow chart for board engagement. If it happens during a live crisis, there is a risk of slowing down a key regulatory filing, or even worse, creating misalignment between the board and the executive team, which can be a recipe for disaster.
• Fundamental communications challenges can be solvable action items – rather than litigated when the clock is ticking. Nailing the communications approach to a cyber crisis can often be the most difficult element of incident response, and it is not the sole responsibility of the communications or external crisis communications experts. Certain communications decisions can have real implications for the business writ large. For example, if a company experiences a very public ransomware attack, should they say “ransomware” or “cybersecurity incident” or “technical disruption” in their internal or external communications? One organisation recently spent 45 minutes of a 90-minute tabletop exercise debating that very question. By aligning on details such as this prior to the onset of a cyber crisis, the business will fare much better than trying to answer the same question while the clock is ticking. Many similar issues – and communications decision points – may come up through a well-designed exercise.
• Invest now – save later. The lively discussion that accompanies a cyber tabletop exercise can often surface opportunities for investment – in time, money or both – that may never come up when designing incident response or cyber crisis communications plans. For example, a recent tabletop exercise uncovered the fact that it was the CEO’s first time considering their company’s cyber insurance tower, and whether investment in further coverage might be a worthwhile business expense. Another example and learning – after an exercise that required heavy B2B customer communications and engagement, a Chief Information Security Officer came to the conclusion upfront that it would behoove them to be building and investing in warm relationships with their counterpart CISOs at customer organisations – so that the first time they were meeting was not during a live incident. 

These are just a few of the hidden gems that might surface during a tabletop exercise – issues or opportunities that were not sought out nor expected but can add meaningfully to an organisation’s cyber resilience. And these are in addition to the fundamental building blocks and education that come out of a well-run exercise.

Conducting regular tabletop exercises is something that every organisation can benefit from – but not all exercises are created equal. By following these key steps, and avoiding some of the biggest pitfalls, organisations can make the most of their practices together in the boardroom or on a Zoom bridge. Cybersecurity preparedness is about the journey, not the destination – and drills and simulations make excellent mile markers.