It's also a good idea to invite outside agencies from federal, state and local government to participate.( There are two reasons to do this, says Robert Connors, director of preparedness,(Wounded Warrior Project Partnership at Raytheon Co., a provider of electronics, defense, communications and other systems.
"First, to get to know them and for them to get to know your environment before a crisis occurs," Connors says. "Second, so they can learn from you and share best practices with you. It's a mutually beneficial partnership."
When exercising, broader can be better.When structuring a tabletop it's important to scope the breadth of the exercise, Olson says. "When running a drill from detection through customer and public disclosure, a wealth of knowledge of your program is presented," Olson says.
"In the InfoSec world we typically view drills as the opportunity to validate our processes and procedures," Olson says. "In a drill that runs through to handling the public disclosure you gain much more. It provides a view into the organization's understanding of information security. It gives insight into how effective your security awareness training program is."
Make the scenario as realistic as possible. "People tend to try to 'fight' the scenario," Starkey says. "If it is a realistic scenario or event that is simulated, the fighting doesn't occur. Invite subject matter experts to the planning team to accomplish this."
For example, a recent exercise in Delaware was a cyber attack on the power grid, "and we included a rep from our largest utility to help write the exercise injects," Starkey says.
Sign up for CIO Asia eNewsletters.