What is a tabletop exercise?
A tabletop exercise is a simulated incident that is solved by leaders across your organization over a few hours of team building. It serves as a self-audit that translates to findings and action items that will strengthen your organization and build your team against a real-life incident.
Why do I need a tabletop exercise?
What does a tabletop exercise look like?
How do I create a tabletop exercise?
What is wrong with learning from a live incident instead?
How do I apply the results of a tabletop exercise?
You need a tabletop exercise to prepare for an incident with leaders across your organization.
Tabletop exercises are an inexpensive way to self-audit every department of your company at once. By attempting to investigate and remediate an incident, your team must explore weaknesses in your technology and business.
You may have a hard time building a culture of cybersecurity because, to many, the topic is not engaging. A tabletop session is, in some ways, a realistic escape room. While it is a serious business exercise, it is also mentally simulating and engaging to those who enjoy problem solving. Most teams who complete a tabletop session will find that their department leaders are more interested and engaged in cybersecurity ongoing.
You, your team, your customers and the destiny of your brand will benefit from being prepared for an incident. The best way to plan for an incident and to refine your incident response document is to execute a tabletop session.
Every department of your company can have a role in your security plan and program. A tabletop session allows department leads to identify tools, controls, programs, processes and other improvements that will allow their teams to better service customers, build stronger products, negotiate smarter contracts and bring forward a culture of cyber-awareness across employees.
A tabletop exercise typically contains a PowerPoint presentation that contains a play-by-play of a customized incident for your team to respond to, a facilitators guide, a participant guide and a findings report template.
To create a tabletop session, you begin by selecting an applicable incident scenario, the duration of the session and the participants. Executive-level support is helpful in gaining support for resources and participation.
You will select participants for your tabletop exercise to mirror those that will be on your incident response team. It is important to ask the founders of your company to determine the involvement that they wish to have in an incident. Next, include business function leaders that are required to make critical decisions for your product, customers, communication, business continuity and remediation. Also, make sure that you have identified those that are able to assist, should a member of the incident response team be unavailable.
It is possible that you will find additional people who are needed as an outcome of the simulation.
The challenging nature of an incident is that they often expose holes in your environment, or technical and business concepts that you have not seen in the past. VioletX designs incident scenarios for businesses that are both technical and realistic. This helps teams to respond to the unexpected.
To design your own incident, it is important to have an ``hour-by-hour`` unfolding of events. An incident often consists of multiple actions by a bad actor. Your team will respond to each as the incident unfolds.
Select a moderator to lead the meeting. Select a person to document the session. Determine who will create a findings report and action items for your team.
You will learn from a live incident; however, for the best outcomes, you will benefit from being prepared. Preparing an incident response plan is often a requirement of government regulations, industry certifications and customer contract contingencies.
An example of the handicap of learning within the incident is in the case where your environment has been breached by a bad actor. Your Slack channel, email and other communication tools may be monitored. The bad actor will have as much live information, in that case, as yourself and your team. This will allow them to stay ahead of your team as you attempt to overcome the incident.
A bad actor may be traceable with the correct logging, but you were not aware of the best practices needed to capture this data. This example would result in a missed opportunity to identify the actor in the breach, which could expedite your incident response investigation and allow you to quick restrict access and take appropriate steps with the individual.
A tabletop session and incident response plan will find examples like these, which will allow you to maintain seniority during an active event.
Following a tabletop session, you will have detailed notes that summarize gaps like enterprise knowledge, processes and procedures. Action items will be created that assign open items to individuals, departments and cross-functional groups.
Action items will likely be relevant to both information security and departmental strategy. Participants and cross-functional teams will integrate and priorities findings based on urgency, budget, available resources and impact. Individuals may prioritize independently, or seek guidance on the importance and urgency of each finding.
Items related to your enterprise information security and incident response plans may be co-managed by your information security lead or team with executive support.