One of the best ways to test incident readiness is a tabletop exercise, a mock incident administered for senior leadership, IT, security, legal, corporate communications and business line readiness. Given all of the focus on incident response readiness you've likely heard about tabletop cybersecurity exercises and while they are common there are a few things to consider before attempting to run your first exercise or to fine-tune existing practices:
1. What type of exercise format suits your organization?
Tabletop exercises aimed to test an organization's decision-making processes can be straightforward scenarios from a playbook run around a conference table with key members of the company present. But, this isn't the only option. Consider a few options to customize the exercise format:
- Does your company lack incident processes? Consider a workshop exercise designed to respond to an event with breakout sessions to build a response plan framework.
- Is there anxiety about the process? Consider incident response plan training before the tabletop exercise to inspire team member confidence.
- Are team members bored with the traditional tabletop exercises? Consider breakout sessions to functionally test team members with mock alerts, customer service calls or fraud data “sent” to the company.
- Do you need to test the team's real-time ability to thwart an attack? Consider a full functional exercise where a hack team can be pitted against a defense team.
- Would your team benefit from post exercise training? Companies can often anticipate the exercise pain points and reinforce an exercise with appropriate post-incident training.
Bear in mind that good table top exercises should not be limited to testing security and IT. As you decide on appropriate format, ensure that you can also test the readiness of senior leadership, legal, corporate communications and applicable business lines.
2. Are there specific topics, policies or team members that need to be tested?
Whatever tabletop exercise a company chooses, it is important to write an exercise with an awareness of company strengths and weaknesses in mind. In addition to readying a company for an attack, exercises also help bring company awareness (and potentially budget) to security issues. As you are crafting an incident fact pattern don't be afraid to think strategically about the issues you need to elevate to increase company security awareness.
3. What happens after the exercise?
In addition to scheduling a written or verbal post mortem regarding the incident, the exercise facilitator should calendar a review of the incident response policy and related policy items implicated in the exercise.
Regardless of which type of exercise you choose to run, the goal is to ensure all incident response players understand their roles. Running an effective exercise before a cybersecurity incident occurs will give your team the chance to build trust and lines of communication that will enable a smoother response when a real problem arises.
Amy Mushahwar is an experienced data privacy, security, and management attorney with nearly 20 years of experience in the technology industry in both legal and technical capacities. Amy's practice focuses on data security, cyber risk, and privacy issues. As both a lawyer and former technologist, Amy is adept at helping clients unravel complex systems structure to fully understand legal and regulatory risk.