When is the last time your organization conducted a cyber security tabletop exercise?


Cyber security teams are busy monitoring and responding to attacks against your organization’s information technology infrastructure. Should you still be conducting tabletop exercises? The answer is yes, of course you should. Although some teams seem to be in response mode on a regular basis, its still imperative that the cross-functional, wider response team works closely with the cyber response teams in order to coordinate response efforts. There are very important crisis response activities that the cross-functional crisis management team can start to prepare for early on in the unfolding situation. Even if the situation turns out not to be a crisis, activating and preparing the crisis management team has more pluses than minuses.


An essential element of scenario design is to ensure unity

Let’s face it, there are some leaders who will challenge your scenario no matter how much time and effort you put into it. That being said, you need to set some expectations before you get started with designing the scenario. Determine who’s going to lead the design of the scenario and who will support that person. There might be a larger group if it’s a large exercise. Ensure key stakeholders understand the overall goals of the cyber security tabletop exercise and that they agree with them before you start the process. Detailed discussions and even disagreements are healthy and expected during the exercise.  In fact, one of the reasons we do exercises is to iron out potential pitfalls before they happen for real.


This second tip applies to every tabletop exercise…

If you read our exercise blogs and listen to our podcasts you will have heard us talk about creating exercise objectives. Cyber security-focused tabletop exercises should be no different. Why are you doing the exercise, and what can you realistically achieve based on the timeframe and audience that will be involved? Here’s a sample set of objectives you may want to modify for your next cyber exercise:

  • Work through a heightened simulated scenario that validates team member’s roles and responsibilities
  • Exercise Management capabilities for responding to a cyber event that has escalated to a level requiring multiple stakeholder communications, human capital management, and efficient decision making
  • Identify improvements to the playbooks
  • Ensure centralized, timely and consistent management of cybersecurity incidents
  • Minimize the adverse impact of a cybersecurity incident on business operations
  • Restore normal service operations as quickly as possible
  • Evolve the Enterprise foundation of awareness, continuous improvement and future growth


Related:  Ransomware Attacks on School Districts

You’ve determined your exercise objectives, you’ve set expectations and started to design the scenario, you’ve even sent out the tabletop exercise invite to the cross-functional team along with a video that provides background on the session.  Now what?  Prepare your equipment, get the technology ready and make sure you check the room(s) before the exercise. We’ve seen very good scenarios for cyber security tabletop exercises go to waste because basic logistics were neglected. Here’s a blog with a list of what you should consider for tabletop exercise logistics:

19 Things We Do When Preparing for a Tabletop Exercise


Finally, this is the main reason you should be doing cyber security tabletop exercises in the first place:

The evaluation of all your exercises is essential in order to improve your cyber security preparedness capabilities. Do you have an existing evaluation criteria that you assess your cyber security tabletop exercises against? Is there a standard that you follow in terms of best practices? If not, consider creating one so that all your exercises and real events can be assessed in order to improve on them each time.  We call this benchmarking. The following is one part of a section from a benchmarking standard that we created to evaluate multiple facilities for a client. As you can see, this section is with regards to the Emergency Operations Center capabilities:




When you start to organize your next cyber security tabletop exercise, make sure you eliminate any possibilities that may cause it to fail. Consider the engagement of the audience and ensure that the exercise objectives are achievable and measurable. Never forget to test your equipment and validate that you have the relevant logistical resources in place. Also, don’t forget to create an evaluation criteria so that you can measure the effectiveness of the exercise. Finally, to make the exercise memorable, don’t hesitate to inject some enthusiasm and fun into the session.

Rob Burton

Rob Burton

Rob is a Principal at PreparedEx where he manages a team of crisis preparedness professionals and has over 20 years of experience preparing for and responding to crises. Part of his leadership role includes assisting PreparedEx clients in designing, implementing and evaluating crisis, emergency, security and business continuity management programs. During his career Rob has worked for the US State Department’s Anti-Terrorism Assistance Program, as a crisis management consultant in Pakistan and Afghanistan where he negotiated with the UN and Pashtun tribal warlords and he served with the United Kingdom Special Forces where he operated internationally under hazardous covert and confidential conditions. Rob was also part of a disciplined and prestigious unit The Grenadier Guards where he served Her Majesty Queen Elizabeth II at the Royal Palaces in London. Rob was a highly trained and experienced infantryman serving in Desert Storm and commanded covert operational teams and was a sniper. Rob has keynoted disaster recovery conferences and participated in live debates on FOX News regarding complex security requirements and terrorism. Rob has a Queen’s Commendation for Bravery.