The Rundown
A tabletop exercise assesses a business’s ability to respond to emergencies. By working through a simulated emergency presented by a facilitator, tabletop exercises test the effectiveness of incident response plans (IRPs) and business continuity and disaster recovery (BCDR) plans.
What Are Tabletop Exercises?
Don’t worry: a “tabletop exercise” doesn’t require a sweatband or burpees. But if you’re a Dungeons & Dragons fan, you’re in luck: there is some role-playing involved.
A tabletop exercise is a facilitator-led activity that tests a business’s ability to respond to emergencies, like natural disasters (a hurricane that floods your office) or cybersecurity incidents (an employee clicked a link in a phishing email and never told anyone).
Before planning a tabletop exercise, you should already have a formally documented IRP and/or BCDR plan that outlines roles, responsibilities, and workflows.
Goals of a Tabletop Exercise
Tabletop exercises have multiple goals:
- Evaluate the effectiveness of an established IRP and/or BCDR plan
- Assess your response team’s familiarity with their roles and responsibilities
- Document plan effectiveness for compliance or regulatory reasons
At the end of the day, tabletop exercises should answer the question: “If there were an emergency scenario today, could we handle it? Do our current plans cover everything needed accurately and effectively?”
Exercise Participants
Tabletop exercises should involve a facilitator, a notetaker, and most or all members of the response team (including—if applicable—a representative from your IT partner or MSP).
Facilitators are typically third-party security professionals who can provide industry insights and neutral observations. However, it is possible to run internal tabletop exercises with an in-house team member designing a scenario, guiding the discussion, and noting areas for improvement.
A notetaker ensures you have a complete record of what went right, what could have gone better, and how the response team communicated with one another. You can also use meeting recording software and/or an AI notetaker to fulfill the mechanics of this role, with the facilitator providing analysis after the session.
There’s no tabletop exercise without the members of your response team. Ideally, all members would be able to join. If someone is missing, you can designate an alternate or weave their absence into your scenario. (For instance, if your CFO can’t join the exercise, test how you would respond to a cyber incident with financial implications if your CFO were unreachable.) The members of your response team should be outlined in your IRP and/or BCDR plan. Response teams typically include representation from executive leadership, IT, legal, HR, and communications.
About the Participant Experience
Tabletop exercises can take place virtually or in person and usually last between 1 and 3 hours. Response team members are expected to be familiar with the organization’s IRP and BCDR plans and their associated roles and responsibilities.
The facilitator will present the group with one or more emergency scenarios (maybe even a fun one). Based on your policy documents, your response team will role-play the resulting actions they would take to inform stakeholders, understand the scope of the incident, minimize the impact to the business, and recover from the scenario.
Throughout the session, the facilitator will introduce new information or developments that the response team will have to adapt to in real time. The exercise will move through all phases of an incident, from initial detection and analysis through containment, eradication, recovery, and post-incident review.
After the Tabletop Exercise
Analyzing what happened during a tabletop exercise is a vital part of the process. Sessions should include time for reflective discussions. After the activity, the facilitator should provide a written document summarizing the exercise, its results, lessons learned, and recommended improvements.
Assuming the tabletop exercise had positive outcomes—that is, an effective IRP/BCDR plan and acceptable responses from the response team—this post-exercise report can be archived to comply with regulatory requirements. (And if the outcome was less than stellar? We suggest making major improvements, then running another session.)
Because threats change continuously, tabletop exercises should be run at least annually to ensure your policies remain current.
How Outpost Can Help
Our security specialists can run tailored tabletop exercises to test your incident response, business continuity, and disaster recovery plans. Our engagements include full documentation of the exercise, what we learned, and short- and long-term recommendations for improvement. You can request more information by connecting with our team.
