What Is a Tabletop Exercise and Should Your Whole Team Do One?

October 17, 2023

A tabletop exercise is a structured discussion in which participants work through a simulated scenario to understand how they would respond to a specific type of incident. Tabletops do not involve live systems, real attacks, or technical testing. They are conversations -- guided by a facilitator, grounded in a plausible scenario, and designed to surface gaps in plans, processes, and understanding before a real incident creates the pressure to find them the hard way.

The default assumption in most organisations is that tabletop exercises are for the security team, IT leadership, and senior management -- the people who would make decisions during a real incident. That assumption is worth challenging. A cyber incident affects far more people than those who manage the technical response. Customer service staff fielding calls from clients who cannot access their accounts, finance staff trying to understand what transactions were affected, HR staff managing internal communications and staff welfare, and communications staff handling external enquiries are all active participants in an incident -- and are rarely included in tabletop exercises that would prepare them for that role.

What Happens in a Tabletop Exercise

A tabletop exercise follows a scenario that unfolds in stages. The facilitator introduces the initial situation -- a ransomware notice appears on several workstations on a Monday morning, for example -- and asks participants how they would respond. As the discussion develops, the facilitator introduces new information that changes the picture: the backup system is also encrypted; a supplier is asking if they have been affected; a journalist has sent an inquiry; the CEO is overseas. Each development forces participants to think through their actual response rather than their assumed response.

The value of a tabletop is not in the scenario itself but in what the discussion reveals. Organisations discover that their incident response plan assumes a capability they do not have, or that two teams have different understandings of who is responsible for external communications, or that no one knows the process for making a ransomware payment decision because the policy does not cover it. These discoveries in a tabletop cost nothing. The same discoveries during a real incident are significantly more expensive.

Designing a Tabletop for Operational Staff

A tabletop designed for general operational staff looks quite different from one designed for a security and IT leadership team. The scenario needs to be grounded in the operational reality of the participants. For a council team, that might mean a scenario where the system used to process development applications or manage resident calls is unavailable. For a not-for-profit with program staff in the field, it might mean a scenario where the database of beneficiary information has been encrypted and field workers cannot access case records.

The questions the facilitator asks in an operational tabletop are practical rather than technical:

  • If the system you use most was unavailable for 24 hours, how would you continue your work?
  • Who would you contact first? Do you have that contact information outside the system?
  • What decisions could you make independently and what would need to go to a manager?
  • What information would clients or external partners need from you, and how would you provide it?
  • Is there anything in your current workflow that you would not be able to do manually if the system was down?

These questions surface operational dependencies that IT teams often do not know about, and they give operational staff a realistic picture of what a cyber incident actually means for their day-to-day work.

What Operational Tabletops Achieve

Tabletop exercises with operational staff achieve several things that technical exercises with leadership teams do not. They build familiarity with the concept of a cyber incident in the people most likely to be directly affected by one. They surface operational continuity gaps that would not be visible in a purely technical assessment. They give staff a sense of what is expected of them during an incident -- what they should do, who they should contact, and what decisions they are and are not authorised to make. And they create an opportunity for IT and security teams to learn from operational staff about the real-world dependencies their plans may not have accounted for.

For organisations like councils, health and community services providers, and not-for-profits delivering essential services, the operational impact of a cyber incident is often more significant than the technical one. A ransomware attack that encrypts a council's planning database is primarily a technical problem for IT. It is a service delivery crisis for the planning team. Running a tabletop with that team, rather than only with IT, prepares the organisation for both dimensions of the response.

How Often and With Whom

The Australian Signals Directorate recommends that organisations exercise their incident response plans regularly. "Regularly" in practice means at least annually for leadership teams, with operational exercises run for key business units on a rotating basis. The frequency matters less than the consistency -- an organisation that runs a tabletop every year and acts on the findings is in better shape than one that runs one occasionally and treats it as a compliance activity rather than a planning tool.

We facilitate tabletop exercises for organisations across a range of sectors, including councils and community services organisations. If you are interested in running a tabletop for your leadership team, your operational staff, or both, contact us at info@cyberlinx.com.au to discuss scenarios and format.

Table of Contents
Resource Type
Blogs
Category
Cyber Awareness Training
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?