Practical Tabletops - Part 2
Audience
Now that you've decided to build a tabletop exercise for your organization, and you've spent some time considering what you want to accomplish by running the tabletop, it's time to give thought to who should participate. You'll probably want to collaborate with different people while you're building your exercise as well as in the exercise itself. We'll consider both here.
To build an exercise that will be truly helpful, it is important to make sure it is both realistic and topical. Realism comes from carefully designing and writing it to match your organization specifically -- your business applications, your security infrastructure (including your incident response plan and standard operating procedures), your team, and so on.
One thing to spotlight here and that you should consider carefully is that a tabletop drill is not some form of penetration test, vulnerability scan, etc. I find people often respond to a tabletop as though it is. They'll say things like, "well, that can't happen because we keep our patches up to date at all times" or "we would have noticed that because we monitor system activity 24x7". To prevent and pre-empt that circumstance, it is necessary to make your exercise sufficiently realistic, for sure. But it is also important to encourage the participants to exercise a "willing suspension of disbelief". For that, I often employ things like 0-day vulnerabilities in products (including security products, lest we fail to learn from the "Solar Winds" incidents). That helps you paint a scenario that is feasible and realistic.
To build an exercise with the right balance of technical feasibility and a dab of fiction, you may well want to consult with a few key people. Consider talking with people who deeply understand the business applications you'll be affecting in your fictional scenario. Consider also the business owners of those applications. What sorts of things "keep them awake at night".
That having been said, it's also highly helpful to hold some of your cards close to your vest, so to speak. That is, it is best that the actual exercise participants are not made aware of your scenario details prior to during the exercise itself. Choose your consiglieri wisely, and encourage them to keep your discussion confidential. And even then, don't disclose all the details of your fiendish plot. (Heh heh heh...)
领英推荐
Exercise participants
Clearly, it matters quite a bit with whom you consult while you are building your TTX. It also matters whom you'll be inviting to attend and actually participate in the TTX itself, and that should be derived from your underlying reason for running a TTX in the first place.
For example, if you're running a TTX to practice and assess your organization's leadership decision making skills while under duress, you'll of course want to involve the leadership team. But that's only scratching the surface.
Consider the aspects your scenario and what actions the responders are likely to take. Say, for example, you've designed in a surprise encounter with a television news crew (at the worst possible time), you're going to want to include the corporate communications team. Maybe it's a data breach and your team will need to comply with your respective breach notification laws. You'll want to ensure General Counsel is involved. You may well also want to ensure the person or organization responsible for your cybersecurity insurance policy is involved.
And, while it may be illustrative to have all of those key people present throughout your TTX, you'll want to ensure your scenario(s) clearly call for each person's direct involvement. What you want to avoid is for someone to be invited to your hugely important exercise only to never have the opportunity or need to do anything with regard to the scenario(s) itself.
That requires careful planning of your scenario. As you may have figured out by now, there are many moving parts to consider when you build your scenario. In the next article of this series, I'll discuss some of the fundamental design differences between a TTX for the leadership team and a TTX for a more technical audience.
As always, please feel free to ask me questions about tabletopping. I'll be happy to answer them here.
Technology executive specializing in strategic advisory services with significant healthcare cybersecurity, information systems and Artificial Intelligence experience.
3 年Thank you for sharing Ken. I still remember the first couple of Tabletop exercises you facilitated for me way back in the dark ages at Securicon. Thanks to you, I am one of "those people" that actually enjoys Tabletop exercises...