A tabletop exercise can validate your Incident Response Plan but conducting an effective tabletop with your Information Security Team and C-suite leadership may be difficult to do on your own.
Maybe you’ve done your research, found free tabletop exercise scenarios and guides you’d like to implement or modify to your own security needs. You may be tempted to conduct a tabletop exercise on your own, with your team. This is totally fine! Go for it. Better to try than to not try to prepare for an incident.
Based on our own experience, a third-party facilitator can bring more value than someone’s tabletop exercise slide deck downloaded from the internet.
Without a Facilitator
When attempting to conduct a tabletop exercise on your own, you may run into the following situations:
You may experience difficulty staying organized.
Conducting a tabletop exercise can be difficult. Tabletops involve multiple people, and there are many components of your Incident Response Plan you may wish to validate and practice your team response. Endless possibilities and tabletop scenarios may cause you to feel overwhelmed with the task at hand.
You may be inefficient with your time.
Your time, your Information Security Team’s time, C-suite time. Not only are you using your own work time to focus on developing and delivering a tabletop exercise when you could be focusing on the improvement of your security posture, but you may also find it difficult to reach your tabletop exercise objective for a number of reasons. These reasons we discuss above and below.
You may be bogged down in unnecessary discussions and details.
Not everyone on your team may have the same knowledge of your Incident Response Plan, and not everyone may be fully aware of his/her role and responsibilities when an incident does occur. Rather than practicing team response, your team may become bogged down in discussion, fruitful or not. When you put many people together in the same room, personalities and ideas tend to interfere with the exercise and objective at hand.
It may be difficult to arrive at conclusions, what was done right or what needs to be improved.
If your team does find itself in discussion, the takeaways from that discussion and the exercise itself may not be summarized properly. By being involved in the tabletop yourself, you might not have the bigger picture of what was actions were effective and what needs to be improved in your incident response. When conducted without a facilitator, the tabletop may turn into a large meeting, where details are discussed but takeaways and action points become absent.
Your preconceptions may influence your approach to a tabletop exercise, skewing your ability to evaluate and detect deficiencies in your people, processes, and technology.
As a security team leader, you have pre-existing knowledge of your company’s cyber defense mechanisms and the Incident Response Plan. This affects how you may approach assessing and validating your team’s response. Because you are part of your own organization, you may experience oversight in uncovering deficiencies or gaps in your response as well. What you think may be effective or ineffective in your response, even your tabletop objective, could cause you to not tackle the most critical aspects of your preparedness and ability to respond that an outsider may observe.
With a Facilitator
When conducting a tabletop with a facilitator, you can experience all the benefits and none of the stress of managing the exercise:
You can draw on external expertise.
While your preconceptions may influence your approach to the tabletop, the expert evaluates your Incident Response Plan with fresh eyes and from a fresh angle. You can now also be part of the exercise, practicing your own incident response responsibilities.
The facilitator is also an experienced professional, able to guide interdepartmental participant groups of various sizes, demonstrating security threats and trends knowledge specific to your vertical. You can be sure your tabletop will be focused and effective.
You receive custom developed scenarios.
Instead of developing your own scenarios or using slides you found and modified from the internet, a facilitator gets to know you, your business in the scope of the industry, and your technology. The entire exercise is tailored to organization and your existing people, processes, and technology.
You are guided through the exercise to keep the pace and enable communication.
With a facilitator, your team keeps on pace and is guided through the discussion, avoiding rabbit-holes and staying focused on main activities/objectives. An outside expert is able to command the room and inspire conversations that will benefit your organization and your Incident Response Plan.
You realize cost savings – better product with less time spent on your side.
Need we say more? Using your work, or even personal, hours will not yield a better experience or result than a facilitated tabletop exercise. It’s real-life response practice, tailored to your business with applicable and effective action items.
The tabletop exercise is tailored to your organization and your team.
No tabletop is one-size fits all. Every organization and team may face different threats depending on the industry and the environment. The exercise will be tailored to your existing team, processes, and technology. When your organization experiences a change in any of these three areas, your exercise will reflect those changes next time around. Tabletops are meant to evolve with the organization and its environment.
You gain insights into industry-wide attack/breach trends.
Because a tabletop facilitator’s role is to conduct these exercises across organizations of different shapes and sizes, the facilitator will have insights only known to someone interacting in this broad terrain. Your team may stay up to date on threat intel and groundbreaking news on breaches, but a facilitator provides a comprehensive point of view that you can’t get anywhere else.
You’ll have objective confirmation/validation of your IR Plan effectiveness.
Objectivity is key. By removing yourself from the exercise planning process, you’ll have an unbiased and non-skewed view of your response effectiveness and effectiveness of the plan itself. A facilitated exercise provides the confirmation you’re after, while a self-conducted tabletop may build further doubts and result in undue concerns.
You will receive documented observations with recommendations.
Walk away from your tabletop exercise with action items and real improvement to your Incident Response Plan. The facilitator will provide observations and recommendations to improve your security incident response and even your security posture. Through a keen observation and note taking, your facilitator can identify areas for improvement and recommend next steps.
You can focus your work-time and energy on your daily issues and responsibilities.
Last but not least, you can dedicate your work-time to those daily issues and responsibilities. You can use your time to further improve of your security posture rather than becoming buried in brainstorming or administrative activities. Let the expert take the exercise of your already-very full plate.
Overall, an expert facilitator saves your organization effort and time by delivering a tabletop exercise the right way the first time, leading to action items and real results that you can use to improve your incident response plan.
Want more? Read...