Tabletop Exercises: Practice what you Planned
By David Tremont & Jon Washburn
As law firm security professionals, we strive to ensure compliance with all the laws and regulations that apply both directly to our firms, and those that apply indirectly to us through our clients. Some of us even take our firms down the path of certification, where third parties attest that our processes and procedures are repeated the same way day in and day out, and that we are enforcing standards and policies consistently within our firms to mitigate threats and reduce risk.
We sit in stuffy conference rooms and have long meetings to make sure our organizations are a safe as we can make them, while we lose sleep over the potential impact of the next data breach, phishing campaign or DDOS attack.
Many of us may not know how we would handle a security situation or data breach because - holy smokes - we either have never experienced one, or we have never fully considered a "cybersecurity incident scenario" in the form of a tabletop exercise.
Now, we are not talking about sitting around a table with a lot of smart people discussing every scenario you can come up with, because let’s face it - there are many. What we are talking about is a true exercise in how each member of your team - either the team you lead, or the leadership team in our organization - would respond to an incident (every bad security event starts out as an incident).
Tabletop exercises are an integral part of crisis management. You cannot be confident that your security program is strong without considering the threats and vulnerabilities that could negatively affect your program. According to the 2018 Crisis Management and Benchmarking Report from Morrison Foerster and Ethisphere, more than half (56%) of respondents suggested they were only “somewhat confident” in their crisis management plans.
Of course, practicing incident response scenarios takes time and resources. When informally surveying people over the last few years, We have discovered that firms that want to conduct tabletop exercises typically do not get full participation of the appropriate staff, especially senior leadership, to conduct them frequently enough to make them effective. When they can conduct exercises, they're rarely able to address enough scenarios to get an effective picture of risk.
If you are going to invest a lot of time and effort in generating the documentation for an incident response plan, wouldn’t you want to know if it works?
The good news is we can know if it will work, and it should be required that we perform tabletop exercises that will give us a clear understanding of how effectively it will work. Performing tabletop exercises will help us identify any weaknesses in the plan that should be addressed. Clients also understand the importance of these exercises, we have seen a few client audits ask how often your firm practices tabletop exercises, and whether your incident response plans are reviewed on a consistent basis and changed as necessary. This is not an unreasonable question, as it helps paint a picture of organizational risk appetite, and how your firm or organization manages risk.
Rehearsing risk response is a fairly simple task. Develop a playbook that identifies the steps, roles and stakeholders involved in responding to a particular attack and then practice that playbook - several times if necessary to ensure you have identified any weaknesses in your response.
Tabletop exercises typically are discussion-based; reviewing roles, responsibilities and the organization's response efforts. During the exercise you'll measure successes and failures against your playbook, modifying the playbook whenever you find an area that won't meet your criteria for successful risk treatment. Don't be afraid of failure during a tabletop exercise, it is a learning experience that allows the organization to identify opportunities to enact changes that will continuously improve the effectiveness of your response plan each time you run an exercise.
Here are six tabletop exercise tips from CSO magazine:
- Take the time to prepare for the exercise
- Involve multiple parties from throughout the organization
- Make sure the participants know the ground rules of the exercise
- Leverage resources from within your industry and the government
- When exercising, broader can be better
- Make the scenario as realistic as possible
Tabletop exercises, in our opinion, are fun and informative. It allows us to review how our respective personnel react to stressful situations while making them a part of the process by giving them a say at the table, helping define how we can best assist the organization in successfully responding to an incident.
I know you procrastinators out there are saying “I need to make this happen, but I've never done this before and I'm still uncertain about where to start and what to do.” Don’t fret security-minded friends, ILTA LegalSec Summit 2019 will host several Sessions on Incident Response, including an Incident Response Tabletop exercise. The entire Workshop Day is dedicated to Incident Response: the fundamentals of responding to security incidents; conducting technical and executive-level tabletop exercises; how to build an Incident Response Plan; tips on incident handling from Carbon Black; and even a session on Post-Incident response. Whether you are a seasoned professional or just trying to get started, these sessions should provide you with valuable information to assist you with building or fine-tuning your Incident Response plans.
For a quick summary of the importance of tabletop exercises, as well as a link to some free tabletops based on the Critical Security Controls that you can use in any organization, check out this page on the Center for Internet Security (CIS) web site: