Tabletop exercises enable organizations to analyze potential emergency situations in an informal environment, and are designed to foster constructive discussions among participants as they examine existing operational plans and determine where they can make improvements.
Such exercises seem like a natural for information and physical security, because they provide a forum for planning, preparation and coordination of resources during any kind of attack.
"Tabletop testing generally takes the form of a discussion-based exercise, and involves reviewing roles, responsibilities and response efforts required to respond to a given security incident," says Jay McLaughlin, CSO and senior vice president at Q2, a provider of software for the financial services industry.
"Testing tends to provide a high-level estimate of the potential for success in the event of such an incident," McLaughlin says. "The major benefit of using these types of exercises is that they provide real scenarios in a non-threatening, non-disruptive format — and can be rather economical to conduct. The goal [is] that participants and management become more aware of possible gaps or weaknesses that may exist in the incident response plan."
But what are the best practices for using security tabletop exercises? We asked some security executives to weigh in on the topic and here are a few of their suggestions.
Take the time to prepare for the exercise. "Preparation is a critical key to success in these exercises," McLaughlin says. "During the planning phase, the objectives, scope, and participants must be determined."
This is often the most time-consuming phase of planning for the exercise itself, but will ensure that the exercise is valuable, McLaughlin says. "When conducting the exercise, it is important that the facilitator enforces boundaries and helps guide the conversation, to prevent the group from going down the proverbial rabbit hole, which can often derail the exercise," he says.
Conversations should be focused on the efforts required for detection, containment, eradication and recovery from an incident, McLaughlin says. Following the exercise, a post-incident summary of the activities should be documented and reviewed, he says. This review should capture lessons learned, as well as what could be done to improve the overall response efforts of future incidents.
Involve multiple parties from throughout the organization.Develop a list of business function leaders from across different areas of the company that will be part of the table exercises team in addition to those from security.
"A tabletop exercise allows you to not only test your incident response capability, but it gives you the opportunity to coordinate across various teams including human resources, communications, legal, compliance, IT, physical security, etc.," says Mary Chaney, senior team leader, Incident Response & Data Management, at GE Capital Americas, a financial services unit of General Electronic Co.
"The problem that we as security professionals face is the lack of visibility until something bad happens," Chaney says. "A tabletop exercise gives you the ability reach out in a non stressful environment to ensure the relevant parties are engaged timely and appropriately. Most importantly, [other] business leaders actually know your name and that you are there to help."
Sign up for CIO Asia eNewsletters.