A tabletop exercise (TTX) is a method to test the effectiveness of a cyber incident response plan (IRP) by simulating a cyber breach. To be most effective, it involves executives from all areas of the organization in conjunction with the cyber team.

A facilitator leads the participants through a fictional scenario that emulates what the participants would experience should a breach occur, including feedback to participants actions. To draw an analogy to role-playing games, the facilitator would be the “game master” – not a participant, but a source of information.

The goal of the exercise is to identify both the weaknesses and the strengths of the IRP in order to improve the effectiveness of it. Because cyber threats are constantly evolving, the IRP needs to as well - tabletop exercises help to keep them up-to-date with current threats.

We’ve had organizations say that there’s no point in conducting a tabletop exercise because they know their IRP is underdeveloped or undocumented (i.e. in someone’s head). From experience, we can assure you that this is the wrong way to think.

If a TTX completely invalidates an incident response plan, the exercise was successful. This may sound counter-intuitive but ending the exercise with a hit list of what every department needs to do to better deal with whatever incident was being simulated, is a great thing!

For example, what if the IRP handled the incident perfectly until the moderator says “Reporters are now at your office asking for a statement about the outage?” At that point, everyone around the table looks dumfounded because no one ever thought they might have to deal with the press in the middle of an incident. It is for situations like this, that executives from all departments need to be involved.

Regardless of the outcome of the TTX, it’s a valuable learning experience for executives and your cyber response team that will make your organization better.