Desk of a CISO: Why Tabletop Exercises are Crucial for Your Incident Response Plan

September 19, 2023
Education, IT Security

Desk of a CISO Banner

Written by US Signal's CISO, Trevor Bidle

The Art of Preparation: Why Tabletop Exercises are Crucial for Your Incident Response Plan

Hot on the heels of last month's blog post on the essentiality of an Incident Response (IR) plan, today we're diving into why it's not enough just to have a plan. You need to test it. Let's explore how tabletop exercises are an invaluable part of this process.

The Value of Testing

Testing your IR plan ensures alignment between assumptions, expectations, and real-world execution. It helps company leaders understand their roles and uncovers any gaps—before a real incident throws them into the deep end.

Who's at the Table?

It might be tempting to focus these exercises on your technical teams. My recommendation leans towards involving senior leadership, especially if you're only running these tests annually. By doing so, you'll be better prepared for scenarios that could have a significant impact on the business.

Suggested participants include:

  • CEO, President, COO, CFO
  • VP of Legal, VP of HR, VP of Marketing
  • Line of business leaders
  • A facilitator and a note-keeper


Going Beyond the Norm

An effective tabletop exercise challenges participants with out-of-the-box scenarios and difficult decisions. From swapping roles to updating contact information, the exercise aims to make your IR plan a living document that evolves with your business needs. The following are sample scenarios for use in a tabletop exercise.

Scenario 1: Ransomware Attack on Manufacturing Systems

Situation: The organization's key manufacturing systems are infected with ransomware, affecting the ability to fulfill urgent orders.

Key Decisions:

  • When should this be declared a security incident?
  • Who determines if the company should involve law enforcement?
  • When should cyber insurance be contacted, and by whom? (Is the # within the I plan?)
  • Are customer contracts affected? If so, what is the obligation towards them?
  • Media has started calling the company as they heard about the ransomware attack. Who should talk with the media? Who drafts any public statements? What should be publicly shared?

Scenario 2: Insider Data Theft

Situation: A high-ranking engineering leader is discovered to have stolen proprietary designs and is planning to resign.

Key Decisions:

  • Is this a data breach or just a security incident?
  • Should law enforcement be contacted, and if so, who should contact law enforcement?
  • Are there any industry regulations that mandate notification?
  • Should your insurance carrier be notified, who should call, and is the number in the IRP?

Scenario 3: Unauthorized Access to Financial Records

Situation: An audit reveals that an outside contractor had unauthorized access to sensitive financial data of customers.

Key Decisions:

  • At what point does this become a data breach?
  • What are the legal obligations regarding disclosure?
  • Should cyber insurance be notified?

Scenario 4: Supply Chain Compromise

Situation: You received notice that critical software used in your billing process has been compromised in a third-party supply chain attack, affecting the integrity of the company's ERP platform. The COO had surgery and is not available to assist with decision-making.

Key Decisions:

  • Should any operations be halted?
  • At what stage should this be declared a security incident?
  • Are regulators in the automotive industry to be notified?
  • When to contact legal for contractual obligations?

Scenario 5: Phishing Attack Resulting in PHI Exposure

Situation: A successful phishing attack of the company’s benefits coordinator results in unauthorized access to a database containing employees' and dependents' personally identifiable information (PII) and health records.

Key Decisions:

  • When do you declare an attack as a security incident vs. a data breach? Who should make this decision?
  • What are the compliance requirements, particularly if you have employees subject to different state laws?
  • When should cyber insurance be involved, and who makes that call?
  • Should outside counsel be engaged?


Communication is Everything

A well-executed IR plan is all about clear lines of communication and accountability. The contact information for key personnel and third parties should be at everyone's fingertips. And don't forget—crisis communication may even warrant its own separate plan.

Time is of the Essence

Remember: laws and regulations around cybersecurity and data breaches are increasingly strict on reporting timelines. Effective tabletop exercises help you identify and refine the key decision points that could save you precious time when it counts.

Adding a Fun Element

For those looking to elevate their tabletop exercises, consider investing in card decks like Backdoors & Breaches by Black Hills Information Security. They add an unscripted, evolving layer to your exercises, keeping everyone engaged.

What About the Tech Teams?

While senior leadership focuses on the big picture, don't neglect tactical tabletops for your IT, Security, and Engineering teams. Dive deep into the technicalities—logging, detection, forensics, and alerting—to ensure everyone knows their role inside and out.

Closing Thoughts

Tabletop exercises are more than just a dry run. They're a rehearsal for reality. Done right, they not only prepare your organization for the worst. They also minimize downtime and reputational damage. So, why leave anything to chance?

Meet Our CISO