The Bedel Security Blog

Adding Perspective to Tabletop Exercises

Written by Brian Petzold | Dec 1, 2023

 

 

Your institution likely performs periodic incident response tabletop exercises to help ensure you are ready when an incident occurs. At the beginning, the participants of the exercises were likely the members of the incident response team and perhaps a few other key employees to add business context. The team walked through a scenario, trying to imagine what decisions they would make in the presented situation. By doing this, you were able to work out many of the basic kinks in their incident response armor. But as the incident response program matured, the tabletop exercises became repetitive and less effective in uncovering problem areas. What can you do to make the exercises educational again?

The key to keeping tabletop exercises fresh is to include fresh perspectives. Consider inviting new people to participate in the exercises. These people may include:

  • Different Employees: Your employees come from a diverse universe of experience, so consider adding others to the exercise and encourage them to speak up when they see a problem in the thought process. Seek out employees who have hands-on expertise in areas that may be impacted by the scenario, as they can often point out flaws in the plan that others missed. Also seek out employees who have experience with actual incidents in their past, as they will be able to add an element of reality.

  • Upper Management: If your CEO and others in senior management are not currently participating in tabletop exercises, consider inviting them. Doing so will often help to clarify roles and responsibilities, especially when faced with questions like “Who has the authority to decide to shut down the network?”

  • Board Members: Inviting board members can be beneficial, especially when it comes time to discuss who should make major decisions. While your CEO may assume they would never pay a ransom to an attacker, a board member may look at the situation differently and state that there are situations where they would have to consider doing so.

  • Cyber Insurance Providers: When an actual incident occurs, your cyber insurance provider will have a major influence on decision-making, so their input during a tabletop exercise can be invaluable and often leads to changes in the plan.

  • Cyber Security Partners: If you have a company providing monitoring and response services, including them in the tabletop exercise can result in many technical questions that might have been missed otherwise.

  • Legal Providers: Including a legal perspective in a tabletop exercise makes it more realistic, especially when it comes to questions regarding what should be communicated outside the organization.

 

If you need assistance with your tabletop exercises or building an incident response program, we can help! Please contact us at support@bedelsecurity.com