Filter articles

Blogs & Opinions 01.05.2025

CISO “How to” Without the Bull: Tabletop Exercises

A six-step plan to make tabletop exercises count

Author: Nick Harris, CISO in Residence, Assured

In the latest of my “no bullshit” cyber blogs, I’ll demystify a crucial part of incident response planning. My name is Nick Harris, and I’m the CISO in Residence at Assured

Do your tabletop exercises (TTXs) conclude with a great list of improvements you can make? And is your list still nearly as big months later?

TTXs are great ways of exploring incident response plans from business continuity programmes (BCPs) and the playbooks that form part of them. They might be pitched at leadership as a method of building buy-in or exploring strategic decision making and mid-incident PR.

In the BCP world, this might be “Gold Command”. Equally, the TTX might be pitched at “Silver Command”, with the heads of cyber and IT teams, or “Bronze Command” with the tactical IR teams engaged with the SOC. If you wonder how these all stitch together, read on.

A week-long TTX

The focus of the TTX is to test out the validity of the plans and playbooks against a certain, pre-determined scenario, which inevitably generates a big list of improvements. The problem is, when the TTX is over, everyone goes back to their day jobs and focus and momentum have gone. That leaves someone – often in the cybersecurity team – trying to herd cats to embed the new changes. However, there is a more productive and efficient approach.

“The TTX will be really flying when all the attendees are asking each other awkward questions.” Nick Harris

The answer is a week-long TTX. It works like this. At 9am each day, hold a 30-minute meeting with the key players. This way, you can have a huge impact with only 2.5 hours of meetings. These meetings/calls are used to set or update the scenario, and allow members to ask clarification questions or highlight potential shortcomings. Everyone then has around 24 hours to answer all the questions and solve all the problems raised. As the week progresses, improvements are identified and resolved with the aim that there is nothing left to do by 5pm on Friday.

A six-point plan

Consider the following STEPS:
  • Step 1: Get buy in from senior stakeholders, such as head of IT, and possibly their direct reports.
  • Step 2: Agree on a specific week sometime in the future dedicated to the TTX, during which time meetings are forbidden. Arrange regular emergency change advisory boards (ECABs) through the same week. Setting a whole week aside will take some doing but it’s worth it.
  • Step 3: With a month to two weeks to go, bring all the players together and explain the concept of the week, the scenario and share all current documentation.
  • Step 4: Run the exercise. Remind everyone of the concept and set the scene. Consider addressing five phases, with a day devoted to each: identify/prepare, detect, contain, eradicate, restore & recover.
  • Step 5: Keep the pressure on. Your value comes from enquiring into everyone’s business. Ask all the awkward questions. Do you have plans? Can your helpdesk cope? What happens if you lost Microsoft Teams? When did you last do a restore? Do you have accounts that aren’t in your privileged account management (PAM) solution? Are you sure you’re not vulnerable to a golden certificate attack? Is Windows LAPS in place? And so on.

If the answer is “not sure” or “no”, the team has 24 hours to turn that answer around. If there hasn’t been a backup restore, do one. If the answer to losing Microsoft Teams is to flip to Google, set up an instance and run tomorrow on Meet. If cyber and IT aren’t sure who is containing a device and the rules to release the containment, put them together to solve it. If IT hasn’t got a golden image (or zero touch deployment) to rebuild devices, make one. If the SOC hasn’t got the IOC detections or alerts established, build them.

The TTX will be really flying when all the attendees are asking each other awkward questions and offering up issues they know need improving, but they’ve never spent the time on. Remember, changes can go through the ECABS now, as this was all agreed in advance.

  • Step 6: At the end of the week, you should have one massive list of achievements. A huge leap in productivity. Capture this, write it up and shout about it. Commend everyone who participated and let all the line managers of those that attended know how much was done, with your sincere gratitude. After all, you might want to run one again.

Stitching everything together

The cyber-incident response plan should form the checklist for Silver Command as one of many BCP plans used by Gold Command, alongside incident response plans covering fire, flooding, power loss and other scenarios. Playbooks and tactical recovery procedures are scenario-based (ransomware, data loss, account compromise, etc) and offer step-by-step guidance for “bronze” teams on the ground.

This article is part of our ‘No bullshit cyber blog’ series, written by Assured CISO in residence, Nick Harris. “These blogs are designed to offer useful tips for implementing cybersecurity practice. The series focuses on making a difference in a language the business understands,” explains Harris. “All points are drawn from my personal experiences delivering cybersecurity transformation programmes and consider best practices from other industries. While I’ve had great success with these methods, you may have a better way. Apply what works for you, and let me know your suggestions.”  

Topics

Latest articles

Be an insider. Sign up now!