How to pull off a memorable tabletop exercise

In life, there will be moments that stick with you. For Bitsight CISO Chris Campbell, one was being a participant in a tabletop exercise (TTX) at a past employer that showed a fake news briefing of a ransomware attack against his organization.

“I got chills watching the video and watching the faces of the executive committee watch the video,” Campbell, who is also Bitsight’s SVP and head of technology, said. “It was something that hit home because it was our name [and] our logo.”

A TTX is a discussion-based roleplaying activity meant to gauge an organization’s ability to respond to a cybersecurity threat. They often are informal and performed by key stakeholders involved in an organization’s incident response plan.

Glen Sorensen, a virtual CISO at Cyber Risk Opportunities, told IT Brew that in his experience the simulated exercises can cost a company anywhere between $5,000 and $15,000. He said that companies can benefit from treating them as more than just a compliance requirement.

“The folks that do them for checkbox exercises are not extracting the value from them that’s available,” Sorensen said.

Give them something to talk about. So, how exactly can a company pull off a TTX that gets people going? Kip Boyle, Cyber Risk Opportunities’ founder and CEO, said some of the most engaging TTXs he has planned have been ones that mimic actual security incidents and challenge assumptions.

Boyle recalled one exercise he planned for a company that focused on ransomware getting into virtual Linux servers in AWS, a scenario he said is uncommon but has happened before. He said the company, which went into the exercise feeling confident in their tech stack, left with some important takeaways.

“It was instructive for them to become aware of the fact that you know they’re not as inherently protected as they think and that led to some really great conversation,” Boyle said.

Sorensen said that TTXs with a sense of realism also help to leave a lasting impression on professionals.

“I’ve encountered some…that were just running through a list of questions and very scripted in nature,” Sorensen said. “That’s not really going to do it. That’s not really going to be that realistic.

Campbell added that a non-judgmental setting where participants feel comfortable to play along can help them to gain a lot out of the experience.

“More often than not, you’re pushing both individuals and teams to their boundaries and to their limits,” Campbell said. “You want them to feel uncomfortable. You almost want them to say, ‘This could never happen,’ because in a lot of scenarios, it actually does in real life.”

Things to avoid. Omar Santos, a distinguished engineer at Cisco, shared with IT Brew some reasons why some TTXs he has participated in during his career didn’t land as well as others. He said some of these sessions fell short because of a lack of planning.

“With other organizations, it was…a little bit of a wing-it-perspective,” Santos said. “The organization hadn’t thoroughly prepared the scenario or the role.”

He also advised companies to avoid being too “theoretical” with their exercises, another flaw he observed with past simulations.

“In many cases, you actually can do exercises that are a little bit academic in nature,” Santos said. “If it’s too generic, too abstract…then of course you’re gonna fail. That’s a given.”