When Was Your Last Tabletop Exercise?By: Secureworks
This may be the most important question you ask yourself today — because if your answer is anything like “I don't know” or “I think it's been a year,” your organization is exposed to more business risk than you need to be.
In fact, without thorough, regular tabletop exercises, your organization may be unprepared for an eventual breach.
It doesn't matter how skilled your cybersecurity team is or how much you've invested in state-of-the-art cybersecurity solutions, when an incident occurs you will need more than just skills and tools. When that happens, you're going to need organization-wide processes, discipline and preparedness.
The only way to get that is with regularly executed, professionally run tabletop exercises and using them to figure out any gaps in existing cybersecurity processes that need to be fixed.
Tabletop Exercise Benefits
Benefit #1: What happens when a cyber incident occurs?
The primary reason that tabletop exercises are essential is that your entire organization — not just your SecOps team — must respond to any incident above a certain magnitude. Obviously, all IT disciplines will likely have to be involved since an incident can involve servers, applications, web-facing assets, and data.
But perhaps less obviously, you may also want your non-technical stakeholders to understand what they will have to do if and when an incident occurs. These stakeholders can include managers across operations, customer care, legal/compliance, PR, and HR departments — as well as executive management and perhaps even your corporate board.
Tabletop exercises give these stakeholders the opportunity to prepare to fulfill their responsibilities should they be called upon to do so. More specifically, a cybersecurity tabletop exercise prepares stakeholders for an incident in three specific ways:
- Checklist preparation. By simulating an actual cyber emergency, tabletop exercises help stakeholders formulate complete, detailed, and appropriately prioritized “to-do” checklists. These checklists are invaluable when an incident occurs because they enable everyone to focus on doing rather than just thinking.
- Comms preparation. Effective incident response isn't just about everybody getting everything right within their own functional silo. It's also about how information gets shared across silos quickly and accurately — without adding a lot of noise to the signal. A cyber tabletop exercise allows you to test these collaborative communications under difficult conditions that may include loss of your email system.
- Emotional preparation. Never underestimate the human factor in incident response. When in crisis and real money is on the line, people can panic. Rehearsing an emergency using a tabletop exercise helps ameliorate this organizational panic in much the same way a flight simulator helps pilots avoid panic when they're faced with emergency situations.
Benefit #2: Cybersecurity budget visibility for upper management
Security professionals often complain about not getting the cybersecurity budget they want for the things they need — and about upper management not fully comprehending what security entails.
Tabletop exercises tend to make the business risk associated with an incident tangible in a way that a headline about another company's woes or a white paper from a security vendor simply can't. That's because cybersecurity tabletop exercises allow them to see a simulated incident unfold right before their very eyes in a way that specifically relates to their company's top and bottom lines.
In fact, I've seen upper management approve funding for additional cybersecurity tools, services, staffing, and/or training immediately following an eye-opening exercise. So while I wouldn't suggest doing a tabletop exercise just to get more budget, let's just say that it doesn't hurt.
Benefit #3: Avoiding costly incident response mistakes
If you're a cybersecurity professional and you're good at your job, chances are that you have minimal experience with a high-impact event. The upside of this, of course, is that you've successfully mitigated risk wherever you've worked. The downside is that there's a good chance you'll make an easily avoided mistake if and when an attacker gets into your environment.
Fortunately, a tabletop exercise will allow you to address this problematic experience gap quickly and effectively — especially if you engage a veteran incident response team to facilitate the work.
Here are just a few examples of the mistakes tabletop exercises can help you avoid:
The “rush to crush.” It's very common for cybersecurity pros to set off a frenzy of wipes, shutdowns, and rebuilds the moment a problem is detected. However, while the intention driving this frenzied activity is understandable, it's usually the wrong move.
For one thing, a “rush to crush” almost invariably wipes out forensic data that's vital for understanding the active attack and preventing it from reoccurring. For another, excessive remediation that's not based on a clear understanding of the attack can disrupt the business in ways that exacerbate its adverse near- and long-term financial impact — rather than abating it.
Leading from the trenches. It's also not uncommon for an organization's cybersecurity leader to assume they should lead the organization's incident response. After all, they have the best technical understanding of the incident and its impacts across the digital enterprise.
But that's exactly why, in most cases, that person should not have top-of-the-pyramid responsibility for end-to-end response activity across the organization. Cybersecurity leaders must focus all their time and attention on the technical aspects of response. So, someone in upper management (like a COO) who's not going to be looking at screens and dealing with the technical aspects of the crisis — and who has the necessary clout across all departments and locations — should run the show.
- Inadequate threat intelligence. It's difficult to effectively respond to an incident if you don't understand exactly what that incident is. I can't emphasize this enough. The only way to thwart an attack quickly and decisively is to get a clear picture of who your attacker is and what they're trying to do to you.
And to do that, you need two things: 1) aggregated real-time telemetry from across your environment and 2) the ability to map that telemetry to the known behaviors of specific threat actors. To fulfill that first requirement, I would recommend having a managed detection and response (MDR) solution in place if you don't have a SOC monitoring 24/7. Don't wait until you're under attack — and if using an MSSP, don't assume that they have a strong incident response practice.
To fulfill the second, make sure you have a partner whose threat research and threat intelligence capabilities are second to none.
And, of course, the best move is to work with a partner who delivers a great MDR solution and world-class threat intelligence.
Failing to prepare, as they say, is preparing to fail. Nowhere is this truer than incident response —which puts your entire organization under extreme pressure with potentially existential risks at stake. So please, if you haven't done a tabletop exercise and don't have a strategy in place, reach out to one of our cybersecurity experts for help. It's a high-benefit investment at a relatively low cost and can result in significant cost savings for your organization.