Involving business leaders in tabletop exercises "also gives senior leadership comfort in knowing that we are doing something to test our response and communications capability," Chaney says. It's a good idea to draft a report of the findings "and share it with all relevant stakeholders," she says. "Seek assistance with addressing gaps in the process and take the time to solidify who actually has decision making ability, before the crisis happens."
Having others from outside security sitting in on a drill can provide "a level of awareness as to why [information security] imposes controls that prior to the drill may have been viewed as excessive," says Mark Olson, director of information security at Iron Mountain, a provider of storage and information management services.
"By running a drill that follows an attack from drive by to a simple compromise of a desktop followed by a sideways attack on a server, [security] starts to make sense," Olson says. "Suddenly, the [information security] approach and program philosophy are no longer a 'sky is falling' theory but has a tangible risk reduction purpose. The tabletop exercise is the opportunity to demonstrate the purpose and value of our InfoSec program."
Make sure the participants know the ground rules of the exercise. "Communicate what is in scope for the exercise and out of scope," says Elayne Starkey, CSO for the State of Delaware.
"Participants get frustrated if the ground rules aren't explained or provided to them before the exercise," Starkey says. "Frustration can lead to those individuals having a negative experience during the exercise, and could result in them not getting a lot of value from the exercise."
Participants could then decide that exercises are a "waste of time" and not volunteer to participate in others, Starkey says. "In our exercises, each participant receives a copy of the official ground rules," she says.
Ensure that the participants know how to communicate during the exercise. "For example, are they to simulate communications or should they actually communicate their decisions to other individuals that are participating?" Starkey says.
Leverage resources from within your industry and the government. Some industry organizations provide services to help companies conduct tabletop exercises.
For example, the Financial Services — Information Sharing and Analysis Center (FS-ISAC) is a financial services industry forum for collaboration on critical security threats facing the global financial services sector.
GE Capital Americas belongs to FS-ISAC, Chaney says. "They have several different types of tabletop exercises that are facilitated by them, which cover various types of scenarios," she says. "The exercises are designed to test internal and external response capabilities."
In a recent exercise with FS-ISAC, GE Capital tested communications inside its environment and determined at what point an event rises to the level where the company should communicate with other FS-ISAC members.
Sign up for CIO Asia eNewsletters.