I have been conducting a lot of tabletop exercises lately, so it seems timely to mention the concept now for those who many not know what they are or how to get one scheduled for your organization.

What is a tabletop exercise and why is it relevant to your business? I am not sure who originally coined the phrase, but we have been conducting them for over a decade. They are quite informative, and teams at companies find them to be very instructive on how to prepare for and respond to a security incident. I have never walked out of a tabletop exercise without a to do list for me and the incident response team. It’s always a great experience.

If you are thinking about putting one together, there are a couple of things you may wish to consider:

  • Get your incident response team in place first. Know who is on it, what their roles are and have a kick-off meeting to discuss roles and responsibilities before you conduct the tabletop.
  • Bring in an outside consultant to assist—that way the scenarios are unknown to the team and they can’t prepare. This makes the session more genuine, since you can’t prepare for an actual incident and the facts are always different.
  • Include legal counsel in the tabletop as legal counsel serves a crucial role in incident response. Counsel provides advice from start to finish and must be involved—to discuss the importance of what can be included in discovery in the event of litigation following the incident, mistakes that have been made in the past that can be avoided, what laws and regulations are applicable depending on the circumstances, timing of including law enforcement, insurance questions and attorney-client privilege.
  • Use real life scenarios that capture the biggest vulnerabilities of the organization. The whole point of a tabletop is to prepare for the real incident. Try to determine scenarios that are most relevant to the organization’s risks so the preparation is most valuable.
  • Consider a half-day session instead of just an hour. It is very hard to really delve into all of the issues that come up during an incident in a short amount of time. I find that half-day sessions, where the team can grapple with several scenarios is the most effective.
  • Use scenarios that compromise different types of data within the organization and are caused by different threat vectors. The response may be different if it is employee data rather than customer or vendor data.
  • Keep a to-do list throughout the session so at the end of the session everyone on the team knows what their follow-up items are and a timeline for getting them done before the next session.
  • Start with one session. Just start. Then you can schedule additional sessions going forward. Most companies have at least one session annually, but I find that once you complete one session, additional sessions are scheduled for the next year biannually or quarterly as the team finds it so valuable and informative.

Just like testing your back-up plan is essential to respond to a ransomware attack [view related post], testing your incident response team is important to practice for an incident so the team is prepared and everyone understands what their roles and responsibilities are when it happens. As I always say to clients–it is no different than a sports team (say, the Boston Red Sox) practicing before games so they can win the World Series. Companies that practice incident response do much better when the real thing happens.