Top 6 Mistakes in Incident Response Tabletop Exercises

An incident response tabletop exercise is a discussion-based practice that uses a hypothetical situation to coach a technical or executive audience through the cybersecurity incident response life cycle. During the exercise, you don't alter any technical controls nor introduce malware into the IT environment. Nevertheless, you must tailor the tabletop exercise to your organization's technical environment, industry, sector, and business objectives.

Due to the discussion-based nature, most organizations consider a tabletop exercise to be a relatively easy training session that consists of a long conversation while looking at PowerPoint slides. However, if it's not performed properly, it can be easy to lose the efficiency and value a tabletop exercise can provide.

6 Common Tabletop Exercise Mistakes

The following are six of the most common mistakes organizations make when doing incident response tabletop exercises.

Not taking a social approach. Most tabletop exercises involve between eight and 25 people. If the facilitator enables only one or two technical leaders to speak, it quickly becomes a two- or four-hour lecture, rather than a training. No one wants to be talked at for hours on end; the words go in one ear and out the other. A discussion-based approach can help ensure efficiency, but solely conversing about the current threat is where more tabletop exercises fall short.

Instead, build a social approach into your tabletop exercise and related materials. Encourage all participants to begin each discussion by brainstorming out loud, then collaborating and debating the ideas, and finally making decisions about the incident response plan — which might be deciding it's best to take no action at this time.

Not varying the participants. Another mistake many organizations make is including the exact same people in every tabletop exercise. There can be a lot of value in adding different teams or stakeholders for different scenarios. For example, I recently hosted a tabletop exercise that included an organization's board of directors so that they could make appropriate-level decisions and insights on the new SEC disclosure requirements. Tabletop exercises can speak to a lot of different cybersecurity-related risks, such as financial loss, legal impacts, and reputation.

Facilitators can make the exercise multidimensional by introducing the business impacts of cybersecurity incidents. For example, when facilitating a ransomware scenario with an executive audience, I try to address the organization's ability to make payroll (a problem that was recently observed in ransomware attacks against resorts and casinos), a legitimate issue that many organizations may face. This highlights ransomware's operational impacts and risks and gets the finance team more involved. Another example is inviting legal and human resources professionals to provide input for insider threat scenarios, which have multiple potential damage or risk dimensions.

Repeatedly using the same scenario threat type. For the past few years, organizations have most often focused on ransomware scenarios in both technical and executive tabletops. But there are many other focus areas that can be evaluated in a tabletop exercise.

Changing the threat type can help an organization be more robust, well-rounded, and resilient. If an organization is prepared for a malware incident but not an insider threat-related data breach, it remains vulnerable to various threats.

Choosing a "doomsday" scenario. Some tabletop exercises don't adequately gauge the scenario's impact and exaggerate the potential damage. The scenario needs to feel realistic but not be so horrible that participants feel helpless and defeated. This dampens the value of cybersecurity training, making people never want to do a tabletop exercise ever again.

The tabletop exercise should be fun, entertaining at times, and continually motivating. The scenario must be shocking enough to provide insight and challenge participants but not impossible to overcome.

Not implementing the lessons learned. When an organization doesn't implement the recommendations from a tabletop exercise, nearly the same exact lessons learned will come up in the next tabletop exercise. That makes the entire exercise almost wasteful of people's time.

A tabletop exercise can identify significant areas of opportunity. Always have at least one notetaker to scribe the brainstorming, collaboration, and decisions made during the exercise. Compare those notes to the lessons learned, best practices, and priorities for putting them into action and maturing the organization's cyber resilience.

Not scoping the exercise and expectations correctly. The last mistake many leaders make is expecting the tabletop exercise to identify all the problems or vulnerabilities in an environment. Because the tabletop exercise is based on one scenario, it can reveal risks and vulnerabilities associated with that specific threat type.

While different threat types have some common vulnerabilities and risks, different scenarios will uncover different weaknesses across people, skill sets, technology, and policies, depending upon the audience.

This is another reason it's important to change the scenario focus for each tabletop exercise: It gives the team safe, realistic exposures to the variety of threats they are working diligently every day to protect the business from.