Top 6 Mistakes in Incident Response Tabletop Exercises

Avoid these errors to get the greatest value from your incident response training sessions.

Ryan René Rosado, Security Solution Architect, Trace3

October 17, 2023

4 Min Read
Cluttered tabletop with the words "Incident response" on a Post-it
Source: Vladislav Zaretskiy via Alamy Stock Photo

An incident response tabletop exercise is a discussion-based practice that uses a hypothetical situation to coach a technical or executive audience through the cybersecurity incident response life cycle. During the exercise, you don't alter any technical controls nor introduce malware into the IT environment. Nevertheless, you must tailor the tabletop exercise to your organization's technical environment, industry, sector, and business objectives.

Due to the discussion-based nature, most organizations consider a tabletop exercise to be a relatively easy training session that consists of a long conversation while looking at PowerPoint slides. However, if it's not performed properly, it can be easy to lose the efficiency and value a tabletop exercise can provide.

6 Common Tabletop Exercise Mistakes

The following are six of the most common mistakes organizations make when doing incident response tabletop exercises.

Not taking a social approach. Most tabletop exercises involve between eight and 25 people. If the facilitator enables only one or two technical leaders to speak, it quickly becomes a two- or four-hour lecture, rather than a training. No one wants to be talked at for hours on end; the words go in one ear and out the other. A discussion-based approach can help ensure efficiency, but solely conversing about the current threat is where more tabletop exercises fall short.

Instead, build a social approach into your tabletop exercise and related materials. Encourage all participants to begin each discussion by brainstorming out loud, then collaborating and debating the ideas, and finally making decisions about the incident response plan — which might be deciding it's best to take no action at this time.

Not varying the participants. Another mistake many organizations make is including the exact same people in every tabletop exercise. There can be a lot of value in adding different teams or stakeholders for different scenarios. For example, I recently hosted a tabletop exercise that included an organization's board of directors so that they could make appropriate-level decisions and insights on the new SEC disclosure requirements. Tabletop exercises can speak to a lot of different cybersecurity-related risks, such as financial loss, legal impacts, and reputation.

Facilitators can make the exercise multidimensional by introducing the business impacts of cybersecurity incidents. For example, when facilitating a ransomware scenario with an executive audience, I try to address the organization's ability to make payroll (a problem that was recently observed in ransomware attacks against resorts and casinos), a legitimate issue that many organizations may face. This highlights ransomware's operational impacts and risks and gets the finance team more involved. Another example is inviting legal and human resources professionals to provide input for insider threat scenarios, which have multiple potential damage or risk dimensions.

Repeatedly using the same scenario threat type. For the past few years, organizations have most often focused on ransomware scenarios in both technical and executive tabletops. But there are many other focus areas that can be evaluated in a tabletop exercise.

Changing the threat type can help an organization be more robust, well-rounded, and resilient. If an organization is prepared for a malware incident but not an insider threat-related data breach, it remains vulnerable to various threats.

Choosing a "doomsday" scenario. Some tabletop exercises don't adequately gauge the scenario's impact and exaggerate the potential damage. The scenario needs to feel realistic but not be so horrible that participants feel helpless and defeated. This dampens the value of cybersecurity training, making people never want to do a tabletop exercise ever again.

The tabletop exercise should be fun, entertaining at times, and continually motivating. The scenario must be shocking enough to provide insight and challenge participants but not impossible to overcome.

Not implementing the lessons learned. When an organization doesn't implement the recommendations from a tabletop exercise, nearly the same exact lessons learned will come up in the next tabletop exercise. That makes the entire exercise almost wasteful of people's time.

A tabletop exercise can identify significant areas of opportunity. Always have at least one notetaker to scribe the brainstorming, collaboration, and decisions made during the exercise. Compare those notes to the lessons learned, best practices, and priorities for putting them into action and maturing the organization's cyber resilience.

Not scoping the exercise and expectations correctly. The last mistake many leaders make is expecting the tabletop exercise to identify all the problems or vulnerabilities in an environment. Because the tabletop exercise is based on one scenario, it can reveal risks and vulnerabilities associated with that specific threat type.

While different threat types have some common vulnerabilities and risks, different scenarios will uncover different weaknesses across people, skill sets, technology, and policies, depending upon the audience.

This is another reason it's important to change the scenario focus for each tabletop exercise: It gives the team safe, realistic exposures to the variety of threats they are working diligently every day to protect the business from.

About the Author

Ryan René Rosado

Security Solution Architect, Trace3

Ryan René Rosado is a pillar of expertise in the global cybersecurity landscape, with an illustrious career spanning over a decade. Ryan is a Security Solution Architect with Trace3. Having fortified the cybersecurity domains of powerhouse organizations such as EY, Avanade, and Optiv, she carved her path from an enlisted Cyber Intelligence Analyst in the US Air Force, dual-majored in Cybersecurity and Emergency Management and is an emerging influence in the private sector. Her success in incident response, threat intelligence, risk management, and compliance are a testament to her strategic and analytical acumen.

Not one to shy away from complex challenges, she has spearheaded multimillion-dollar business development initiatives, penned thought-leading articles, appeared on multiple podcasts including a reoccurring segment on "The Future CISO." Rosado's leadership transcends the conventional, with a heart in cultivating teams and building meaningful relationships that foster growth and steer organizations toward unprecedented cybersecurity maturity and resilience.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights