In part one of this series, I introduced tabletop exercises as a critical component of business continuity and incident response planning, along with the steps leaders must take to appropriately prepare to conduct an effective tabletop exercise. Now, let’s dive into the exercise itself and learn why post-exercise reporting is also important.
During the tabletop exercises, there will be multiple points where key decisions need to be made to advance within the scenario. These decision-making authorities are typically outlined and defined in the incident response plan, either by IR team role, job function or name. To get the most out of an exercise, ensure those key participants are present for the exercise.
With planning and logistics taken care of and the exercise underway, consider the following points:
A good facilitator brings the scenario alive by engaging the entire group. Present the scenario information with an adequate level of detail, injecting interesting specifics to make the puzzle thought-provoking and challenging (but not discouragingly hard) and keep in mind a good dose of humor has never spoiled a tabletop exercise. Ask follow-up questions, guide the team through the process and inject additional details as necessary to maximize learning value while ensuring that all steps of the response process are in place and all participants have been engaged in their respective roles. It may be necessary to role-play for any absent participants; however, the incident response team must follow along and engage with the scenario to achieve success. Be mindful of behaviors that enhance or detract from the experience and value of the exercise:
- Using supporting documents and runbooks – Many organizations develop incident-specific runbooks, flow charts, questionnaires, standard operating procedures and other documentation designed to guide them through an incident response. Many of those same organizations will often completely neglect them during a tabletop exercise. Leverage supporting documents for the tabletop exercise. Test the documentations’ effectiveness by referencing them throughout the exercise and updating as necessary to ensure they assist in the incident’s resolution.
- Participants engaging with other participants – Facilitators will often spend the early part of a tabletop exercise doing much of the talking, typically laying out the scenario and its objectives and helping get everyone immersed in the exercise. There is a point, though, when the participants should take over and begin working together to overcome the scenario’s challenges. Since they represent different areas of the organization and know the institutional priorities, it is natural for there to be a period where participants ask questions and challenge each other on the specifics of their responses.
- Getting to specifics – A common tabletop challenge happens when participants respond to a question, prompt or a cue with a generic or high-level answer. It might lack the details of the actual how an action would take place in the specific scenario at a specific time. This can take some prompting from the facilitator or other participants to move from high-level, general responses to specific details. Getting to the details often reveals potential incident response process enhancement opportunities. As a facilitator, counter high-level responses by asking what specific action will be taken. For example, “Which application/tool will be used to accomplish this?” or “Who will be contacted for this information or for help and is their contact information available?”
- Note-taking – Facilitators and observers will generally have notetakers, but participants should also take their own notes to help track contemporaneous thoughts about items that resonate with or are important to them. In general, ‘ah-ha’ or ‘lightbulb’ moments, gaps or disagreements with other participants are items to track or follow up on after the exercise is complete and general ‘to-do’ items can help ensure meaningful and actionable improvements take place after the exercise is completed.
- “That would never happen here” – Nothing takes the momentum or energy out of a tabletop exercise like one or several participants leaning back in their chair, arms folded saying, “That couldn’t happen here” and then spending the remainder of the exercise fighting against the scenario. There can be several reasons why a particular fact pattern, inject or scenario detail is implausible; however, any time spent discussing or arguing over what would or could not happen is time not being spent responding to the scenario and learning from the experience. Prior to the exercise, the facilitation team should preview the scenario with a select group of insiders and validate as much information as possible to minimize the likelihood of this occurring. This challenge can still arise during the exercise, and the best way to move past it is to remember that in an actual incident scenario, unforeseen or unpredictable circumstances can arise, and the group should do the best they can to move forward with the facts at hand.
- Groupthink – Tabletop exercises generally bring disparate groups from the organization together. Leaders from IT, finance, legal, HR, PR, corporate communications, information security, business units and other groups will work together to determine how to respond to the circumstances presented. Each group will have their own priorities, needs and opinions and will want to voice those during the exercise. It is natural for a conflict or a debate to arise during portions of the exercise. If the entire team is 100 percent in agreement about everything, it could be that the scenario information injects are not specific enough, or the room dynamic is not allowing all the participants to voice their thoughts.
- Deferring – Occasionally, the power dynamics may cause some participants to shy away from voicing their opinions or challenging the higher-level individuals in the room. This may result in critical factors and decisions not being fully debated or explored during the exercise. If the most senior person in the room proceeds on a course of action, arrives at a conclusion or pushes the exercise forward on their own, then details or critical decisions may be bypassed and overall value for the exercise will be diminished.
Once the exercise has been concluded, the real work begins. Typically, the exercise will identify a number of follow-on actions, lessons learned and other topics that the participants may want to address. From what I have observed, immediately after the exercise concludes is when ideas are still fresh, and the energy is at its highest. Great conversations take place and improvement opportunities are formulated in this moment. It is critical to capture these ideas before motivation wanes and other priorities take over. The most effective tabletop exercise facilitators will take the time to document the specific short, medium and long-term actions and objectives and assign owners for each. Using this as a reference point, the organization can take tangible steps to enhance the effectiveness of its incident response capability. The team hosting the lessons-learned session should track these actions to ensure they are fully implemented.
Establishing a tabletop program
Most organizations tend to schedule a tabletop exercise at least annually to achieve compliance with a particular regulation or industry standard, or due to the need to expend unused retainer funds. While this effectively “checks the box,” there are multiple solutions that go above and beyond the bare minimum requirements and deliver greater incident response improvement value. Weigh these factors in expanding a tabletop program:
- Introduce multiple topics and increased frequency – There are almost an infinite number of incidents that could impact an organization. Testing a single scenario each year may not be sufficient to properly prepare the incident response team and address the risk to the organization. Consider conducting regular exercises, combined with shorter cyber drills or a comprehensive wargame approach.
- Vary exercise types – Periodically changing the exercise duration, audience or delivery method. This varied approach can provide new perspectives or considerations for the exercise and help maintain engagement.
Tabletop exercises can form a cornerstone of incident preparedness. If performed well, exercises will help an organization evolve its readiness to respond to cyber security incidents. Additionally, gaps in response procedures can be identified proactively, leading to remediation before an actual incident, ultimately improving the timeliness and effectiveness of future responses.
Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.