In my last post, I discussed the importance of implementing key elements to effectively and efficiently respond to cyber incidents. I want to use this post to drill down on one of those elements in particular: tabletop exercises (aka, tabletops). Regularly practicing tabletop exercises is an excellent way to train the organizational 'muscle memory' of processes and communications that are crucial when responding to a cyber incident.
Here is a useful definition:
"Tabletop exercises are discussion-based [or simulation-based] sessions where team members meet in an informal, classroom ['war room' or remote] setting to discuss [simulate, play] their roles during an emergency [for our purposes, a cyber incident] and their responses to a particular emergency situation."1
Tabletop exercises for cyber incidents can be conducted in various forms with different goals and outcomes depending on what is being simulated. The ultimate goal of a tabletop exercise is to practice processes and communications for identified internal and external stakeholders/participants—but more importantly, to identify gaps and areas of improvement in those processes and communications.
When planning a tabletop exercise, it is important to specify the outcomes/goals you are trying to achieve. Maybe it is to test technical response capabilities and playbook processes for the internal cyber security and incident response team (CSIRT). Or maybe it is to see how senior leadership engages third parties in the response effort and how they communicate a cyber incident to external stakeholders. Either way, these practice outcomes will define the audience and the different ways a tabletop exercise might be delivered.
Below, I highlight a few different approaches to tabletop exercises and how each can benefit an organization in practicing and improving its cyber incident response capabilities for different audiences: