In Cybersecurity Planning, Don’t Overlook the Value of Tabletop Exercises

Tabletop exercises are a powerful way to rehearse and refine incident response plans, but they’re often underutilized. Many organizations seem satisfied simply to have created an incident response playbook; they fail to understand that testing their plans is also essential. 

Tabletop exercises are like the fire drills we had back in school. Without that practice, an actual fire would have caused panic and chaos. A cybersecurity crisis can trigger the same reactions. But when staffers have had a chance to work through the playbook, they’re more likely to respond, calmly and effectively, “We know what we’re supposed to do.” That’s why one of the best things an organization can do for its IT team is to prepare for a security incident.

Incident response plans must be up to date to be useful, and tabletop exercises are a great tool for identifying gaps and outdated information. Most organizations change personnel and technology environments at some point after creating their playbooks and policies. These changes may not be documented in the playbook, so tabletop exercises will ensure an organization tests its plans against the current environment. 

In complex IT environments, especially, organizations must be specific about who will handle what, when and where. For instance, an outdated plan might call for a network administrator to pull logs from five tools, while the current IT environment has eight logs that need to be pulled. Further, the organization might have hired a second network administrator since creating a plan. The playbook needs to specify which administrator is responsible for which tasks to ensure they’re not duplicating some efforts while overlooking others. 

Plans also should be granular enough to minimize assumptions and interpretations. Tabletop exercises can shed light on areas where more details are needed. For example, a plan might say the network administrator needs to pull logs from certain tools without specifying what the next steps should be. Testing will identify these gaps and prompt the organization to address them.

Involving personnel from across an organization — from executives to HR staff — lets them see the process and understand what their role might be in a cybersecurity incident.

People may be thinking, “We have a virus, so let’s restore from a backup.” But the organization needs to go through a specific process to determine how the virus arrived, what damage it has caused and how long it’s been hiding in the network. Otherwise, the organization risks uploading a backup that has been infected. Similarly, if an outsider entered the network, the organization needs to know what the intruder did while inside and whether they left behind any malicious code that could be exploited later. 

Tabletop exercises help organizations develop thorough processes, and they ensure everyone understands the importance of prescribed incident response.

One approach that many organizations find valuable is to run an internal tabletop exercise annually and to bring in a partner that specializes in incident response. Threat vectors change so frequently that there may be something on the horizon that an organization’s IT team is not yet aware of. An outside expert can help ensure that an organization isn’t missing an opportunity for growth or overlooking anything critical.

Story by Mikela Lea, a principal field solution architect with CDW. She is a security engineer with 15 years of experience in technology and consultative sales, with an emphasis on security and e-commerce.