Practice Makes Perfect: The Value of Tabletop Exercises

If you fail to plan, then plan to fail. Wise words that have echoed over the decades, and as the cyber threat landscape has evolved, the ability for an organization to bounce back from a cyber incident has become a regular talking point for Executives and Boards. Whether regulatory driven, or because of raising awareness to cybersecurity as a business issue, many organizations across a variety of industries have made marked efforts towards developing plans to navigate the murky waters of a cyber incident.  

However, like any well laid out plan if they fail to be regularly tested for quality and completeness, when truly needed, will they help, or will unforeseen challenges arise that were not fully considered when the plans were developed.   

So how should an organization test out those plans? This is where tabletop exercises have their moment to shine, which is both a structured and industry accepted way to test the quality of organizational response plans.     

But what exactly is a tabletop exercise? In short, think of it as a fire drill, but instead of a blazing building, you're dealing with a cyber incident like a ransomware attack or a data breach. The exercise is often designed as a progressive discussion-based activity to help organizations, collaborate and communicate about how processes would be used in a controlled situation. The exercise should also use the existing plans and processes as a baseline during gameplay to detect drift or deviations from intended actions. As organizations mature in their response capabilities, these types of exercises can become more immersive and involved with live testing to complement discussion-based exercises with tactical hands-on activities (e.g. phishing simulations, malware containment, etc.). 
 
When thinking about, or designing a tabletop exercise, it’s important to note that these are not just technical in nature. They are about understanding not only how technical protocols will respond to an incident, but also how Executive teams would functionally coordinate, communicate, and notify internal and external stakeholders of a developing or active incident.  

If we examine the two types of exercises, the most common are Executive and Technical tabletops. Below is how they distinguish themselves from each other: 

Executive Tabletop

This is the high-level, strategic session for your Board and/or Executive leadership team. The scenario here focuses less on the technical details and more on the big-picture business decisions. The conversation revolves around questions like: 

• Do we pay the ransom? What are the legal and ethical implications? What if we are dealing with a sanctioned attacker?   

• What is our communication strategy for customers, the media, and regulators? 

• What is the threshold for notifying our cyber insurance provider and legal counsel? 

• Would this impact our stock price, brand reputation, and shareholder trust?
   

Technical Tabletop

This is where the IT and security teams roll up their sleeves. This exercise dives deep into the operational and tactical details of the incident response plan and supporting playbooks. The questions get much more granular in these exercises: 

• How do we isolate affected network segments? 

• What is our process for preserving evidence for forensic analysis? 

• How do we validate that our backups are clean before initiating a restore? 

• Which team members are responsible for incident triage, containing a host, notifying technical leadership?   

What’s quite common and often recommended is performing both types of tabletops within a defined period often with a Technical tabletop front loading the Executive tabletop, so that the outcomes of the technical exercises can help inform what Executives will have to navigate and critically think through. 

Common Gaps and Recommendations

 
A well-constructed exercise and post-exercise after-action report will often uncover gaps in processes or response protocols. Some of the most common recommendations that emerge from a tabletop exercise include: 

• Updating the Incident Response Plan: Key contacts are often outdated, or people have left the company, or phone numbers have changed. 

• Clarifying Communication Channels: The plan might say "notify legal," but it doesn't specify how, or who the primary and secondary contacts are. 

• Defining Decision-Making Authority: It’s often unclear who has the final say on critical actions, like taking a customer-facing system offline. 

• Identifying Technical Gaps: The team might realize they lack necessary logging capabilities or the forensic tools needed to investigate effectively. 

• Aligning with Third Parties: Misalignment on when to engage external partners like cyber insurance, outside legal counsel, or PR firms. 

While the performance of tabletop exercises on a regular basis is now considered a foundational activity, there are also industries that are more regulated and strongly suggest the use of these exercises as a way of testing plans and resiliency capabilities. Two regulatory examples in the financial services sector in the US and Canada include New York Department of Financial Services (NYDFS) Part 500 and OSFI's B-13 Guideline Canada for federally regulated financial institutions, respectively.    
 
Ultimately, a tabletop exercise is a safe space to fail. It shines a light on assumptions and unspoken expectations, turning a paper plan into a living, breathable strategy that an organization can execute with confidence. It transforms potential chaos into a practiced, controlled response, and in the world of incident response, that can make the difference between a cyber event and a cyber breach.   

Contact Arctiq to learn more about how to implement Tabletop Exercises into your security preparedness plan.