Now that you've decided for which audience you'll be running your tabletop, the next thing to consider is how to build out your tabletop for that audience.
Don't get me wrong. The underlying incident scenario itself could well be the same across multiple audiences, but the aspects on which you're going to focus should be tailored to the specific audience.
Additionally, it's generally a good idea to include in your tabletop at least some aspects that will affect everyone in your target audience. For example, if you're going to invite your Corporate Communications office, it makes good sense to ensure there are media interactions in the session. There can be value to some of your participants not getting explicitly called out in a scenario, but that should be by design and quite deliberate. Otherwise, it's best to ensure everyone has a role to play.
When running a leadership-level session, and that can be senior management, C-level executives, or even Board members, you're pretty likely to find you just can't get a lot of time on their schedules. While you might run a technical tabletop drill for several hours, a leadership group is likely to limit you to 1-2 hours. Make efficient use of your and their time.
So, now the question here is what sort of things should you include for a leadership group you might not include in a more technically hands-on group. Here are a few considerations.
- Business focus. Perhaps this is obvious, but be absolutely sure to focus your incident scenario around business issues. Application outages, business down time, etc., should be the primary issue for the most part. Avoid getting dragged down by the technical minutiae. While those things matter, you're far more likely to get eager participation among your audience by keeping your attention on the business.
- Media attention. It can often be helpful to build in some media inquiries about your incident. Those always happen at the worst possible time, so be sure to keep it realistic. I've been known to "ambush" some of the executives in my session with a simulated TV news crew getting in their faces as they leave the office for an important luncheon or some such. Are they prepared to address the media? Does their response make the problem worse than it was before? (Nothing gets reporters motivated like "no comment" responses to reasonable questions.) Did the Communications team prepare the executives for such an encounter or were they caught off guard? Press them on the details of the response and how it would play out. And expect the incident responders to face increased management scrutiny after the media encounter.
- Other stakeholders too. Don't just limit your external scrutiny to the media. Consider also pulling in investors, customers, regulators, and other third parties to your scenario. They can often put extreme pressure on the leadership team, and that can have a major impact on how the team responds to the emergency.
- Notification laws. Speaking of regulators, most businesses these days operate under some form of mandatory breach notification laws or regulations. Either explicitly call that to the attention of your participants, or keep an eye out for them bringing the topic up themselves. (I generally prefer the latter.) How do they comply to the laws? Again, press them on the details of what they would report and to whom.
- Insurance. If your team has a cyber security insurance policy, that can be helpful to bring into this leadership group's tabletop. What can/should the team expect from the insurance provider? What information does the insurance provider require? Do they provide hands-on response support to (say) ransomware attacks? How does the team engage their services? How long to they take to arrive? These are all questions your participants should be addressing. I've seen insurance providers deliver meaningful and helpful support to organizations hit by major breaches. Waiting to contact them until the incident is resolved would be too late.
- Business continuity. Not only should you be building your scenario around business issues, so too should the leadership team be focusing their actions and decision making. Business continuity should play a major role in such a case. If your scenario is likely to result in business down time, do they have a "plan b" in place, such as spare servers for a disaster recovery plan?
The above is not a comprehensive list, as I'm sure my readers can appreciate. It is my hope to merely catalyze thought and creativity.
Whatever the case, be sure to press your audience for details, especially when they make broad statements (e.g., we can simply re-image all of our desktop PCs). How long will it take? How much will it cost? How many people do we need to perform this task?
I also look for fundamental incident response operations being handled properly, of course. Is the incident response team (IRT) tracking actions? Is there a timeline? Who is in charge of the situation? Have they declared an incident severity level? Are they using their own IRT to guide their process, as a form of a checklist?
In our next article of this series, I'll address issues to include when building a tabletop drill for a more technical audience. As always, please feel free to comment here or email me with any questions you have on the topic.
Technology executive specializing in strategic advisory services with significant healthcare cybersecurity, information systems and Artificial Intelligence experience.
3 年Thank you for sharing Ken- this is a fantastic series!!!
President at KRvW Associates, LLC
3 年Welcome back from the holidays, and Happy New Year! Let's pick up where we left off on building and executing a cyber security incident handling tabletop drill. In this article, I address issues to include when tabletopping with leadership-level audiences.