When creating a cybersecurity tabletop exercise to validate the organizations ability to respond and manage a cybersecurity incident, consider the following three exercise goals.
- Validate Leadership Decision-Making
One of the most important functions of a leader in a crisis is to stabilize the situation as much as possible. A very important aspect of crisis leadership at the start of the response is the ability to identify and take steps that will limit the damage already caused and contain it, so that subsequent activities have a firm basis.
Ensure your cybersecurity exercise creates situations whereby the crisis leadership team are required to make decisions based on the simulated scenario. The timeline might be unrealistic and key decisions might take longer during an actual cyber-attack. Just ensure exercise participants are aware that the timeline is compressed. There are usually plenty of situations where decision-making opportunities can be introduced into a tabletop exercise.
Chaos will reign as a crisis evolves and the leader’s primary role initially is to demonstrate calmness, authority and determination.
- Involve Critical Stakeholders
Do you know who the critical stakeholders are during a cybersecurity incident that impacts your organization? Have you been through the process of determining who owns the various relationships and what messages are conveyed to those stakeholders and when during the incident? An exercise can answer these questions and help create better awareness throughout the organization with respect to stakeholder management. Some of the stakeholders might be specific to certain types of cyber related events and others could be common in any incident.
During the planning phase of exercise design, you can ask yourself which critical stakeholders should be involved in the exercise based on your objectives. Try not to make the exercise too complex if it’s the first time you’re discussing stakeholders. It is also a good idea that a scribe be tasked with documenting the stakeholders and who owns the relationships. This list will need to be updated regularly and should be readily available during an incident.
- Practice Situational Awareness
As defined in this previous blog post “SA is the concept of developing the ability to observe your environment, orientate to rapid changes, and make decisions and act upon those decisions at a quick pace during high-tempo operations”
Situational Awareness can be difficult to achieve in exercises, as we are in “game mode”, and participants can switch off if they’re not engaged. One tactic that can be used to validate SA is by splitting the participants up as part of the exercise play, and then bringing them back together after introducing different details to each group during the breakout sessions. Listen to each group briefing back to the leadership team to see if all details are provided as well as their recommended actions. Another tactic is to have a SimCell that role plays various stakeholders including internal groups. If the crisis teams doesn’t call the SimCell to report to those stakeholders, then SA has not been fully achieve.
Also see item 7 in this podcast show notes – https://preparedex.com/preparedex-podcast-episode-5-10-common-crisis-management-challenges/