How to Build a Robust Tabletop Exercise
Welcome Back! If you read our blog, “What is an IT Tabletop Exercise”, then you should be ready for part 2. Join us as we break down how to build an effective tabletop exercise using 3 digestible phases.
Time to turn those lemons into lemonade. And depending on your industry, conducting a tabletop exercise at least annually is a requirement. If you’re not new to the Incident Response Methodology, you’re familiar the steps Preparation / Detection and Analysis / Containment, Eradication, and Recovery / Post-Incident Activity. We will break building your plan upon these principles down into 3 phases: Construct, Immerse, and Review.
This first phase is arguably the most important because proper planning of the exercise will lead to the most effective performance in the Immerse phase and allow for a more streamlined review. The Construct phase defines expectations for the exercise about objectives and outcomes. This also involves selecting the right personnel to take part in the exercise. Here, it is essential to include key decision-makers, IT leads, and other key personnel that may be involved in managing an incident (legal, Media, People Team, etc.).
This is also a good time to ask yourself preliminary questions to scope out the exercise. Here is a concise list for example:
Gather around everyone, it’s story time. For generations, humans have passed down experiences in this manner. However, these stories are made up in the hope they will never occur, and if they do you will be ready. This is also where creativity can play a significant role as you should avoid cut-and-dry Q&A. Instead, you should lean towards interactive activities that build trust and foster discussions. Typically, tabletop exercises are done in-person, around a table but we understand that many companies are remote these days so a video conference call will work as well.
Ensure that there is an experienced facilitator present to proctor the exercise to uncover issues and valuable insights. It is also key to emphasize in this phase that there are no dumb questions. Unless someone asks, “How ‘bout them Cowboys?!” (That’s a football reference I’ll bring it all full circle in the Review phase). During the Immerse phase, you should be following the questions you laid out in the Construct phase but be careful not to stick perfectly to the script because in a real-life emergency curveballs will be thrown. *Sigh* If only hackers stuck to the plan cybersecurity would be a lot easier. And that brings me to my next point, Do Not make the exercise a softball, these exercises should be rigorous to be truly effective.
Lastly, you will want to have someone in the group dedicated to taking notes, or if on a video call, recording the exercise is also a great way to track issues, lessons, gaps, and parking-lot items (these are captured to avoid the impending rabbit hole). Be sure the note taker is keeping track of key decisions as they unfold so they can be discussed in real-time. There is nothing wrong with having a devil’s advocate on the scene to question judgments to ensure each choice is made with the goals and objectives in mind.
Okay Cowboys fan, you can come back now we need you. The outsider is curious, asking, “How’d the team do?”. And the team rejoiced as they came to realize how much they had learned, now it is time to huddle up and review their performance during the exercise. This is where the notes come in handy, or in this analogy, we’ll call it the Play Sheet. Ask yourself, “where at each point in the drill could we have made an improvement”.
Next, take what you learned and put it into a comprehensive short-term plan that covers the easiest, most obvious tasks first to improve your Incidence Response procedures. These are known as your lessons learned. You will also want to supply your team with the Play Sheet that summarizes the exercise with the improvements added to boost continued learning. This is a shared resource for all employees, as everyone in your organization has a part in protecting your infrastructure, therefore everyone should know and be trained accordingly in their roles in case of an incident.
BREAK! Now its time for you to put what you’ve learned into action. No Hail Marys please, just short throws down the field until you’ve scored.
For more information speak with a QoS consultant today, email@example.com, or reach out through our contact form on our website, www.qosconsultingsolutions.com.
Michael Joe is a Security Consultant and blog writer at QoS Consulting Solutions, author of several captivating works on our website. Michael graduated from the College of Charleston in South Carolina with a Bachelor of Arts degree in Communication and with Latin Honors: Cum Laude. Michael’s passion for spreading awareness and knowledge of information technologies and cybersecurity is evident in his unique voice and writing style. As you noticed in his work, Michael’s storytelling and humor have a way of grasping the reader in a way few technology-focused blogs have done. Michael’s aim is to educate and entertain to change the way people perceive IT literature: Moving it away from a hyper-focus on so called “geeks”, towards the greater public. Cybersecurity is for EVERYONE, not just the techies in the trenches! Michael was expertly trained in the art of cybersecurity consulting.
See author's posts