Are Incident Response Tabletop Exercises Worth it?
Updated: Aug 28
Five reasons you need to run an incident response tabletop exercise.
The 5 Reasons Tabletops Must be Taken Seriously
Today’s cyber threats are becoming increasingly more sophisticated, and companies are doing what they can to protect themselves from breaches and ransomware attacks. I have heard it a million times: “It’s not if you have a security incident; it’s when.” Great, but what is being said is not how we, as IT Security professionals, are acting. Usually, the quote above is followed by something like, “Then we need to do more upfront to prevent an incident.” True, but the quote still stands…it’s “when,” not “if.” So, what are we doing to plan for it?
The challenge is this: How do you tell your board you’re planning to fail? That’s a hard pill to swallow for most boards, and they hate hearing it, but we must convince them of the reality. Most of what boards know about cyber incidents is what they read or hear in the media. There’s a lot of great info out there, but most of the time, we only hear about the amount of data stolen/encrypted and the cost to the company. These facts are useless and boring to me. What I want to know is how the organization managed the cyber incident and what the impact was on their business.
It’s obvious to me when a company was unprepared for an incident, which is usually seen when the company discloses the breach. I’m sure we’ve all seen where news of a cyber incident breaks, the victim company tries to get in front of it for damage control, and their PR department releases statements without having all the facts. Record count seems to be the most important “fact” that gets reported, and that number can be elusive. I’ve seen companies state they have the incident contained, systems are patched, no sensitive data was stolen, or a few systems were affected. Then, two days later, the same company has to disclose they were wrong, the breach is still ongoing, and millions of records/systems are affected. The company above was clearly not prepared for the incident. So, how do we convince our boards to invest time and resources in damage control?
IR Tabletop exercises are a great way to prepare for the inevitable and are critical for your Incident Response Plan. Having an IRP is great, but documentation usually gets created and dumped into some repository, and it only gets dusted off when it needs to be shown during an audit. Boards rest comfortably knowing there is a plan in place in the event there is a cyber incident, but they might not know what’s in that plan and that they play a major role in the response. Here are five reasons tabletops with your board and executives must be performed at least annually to test your IRP.
It’s Required! Most companies that collect data are beholden to some compliance framework such as HIPA, PCI, or GDPR…. I listed this reason at the top because being compliant seems to be most companies' focus (rather than being secure). Good or bad, compliance obligations are easier to meet and get funded more often than tools or resources for threats that may never happen.
Your company’s reputation is at stake. Depending on the size of the incident, it will most likely make the news. Companies’ reputations take a hit once the word gets out, and it can be hard to rebound. Stock prices drop, customer confidence is lost, and the brand may become synonymous with a data breach, i.e., Target.
The company may fold. This is an extreme reason, but unfortunately, it happens. Usually, a smaller company has fewer resources to recover from a major incident, but large companies are not immune. Recovering quickly and efficiently can impact the company’s ability to remain in business. I recently read about a college that had to close its doors after 157 years due to a ransomware attack.
Your job is at risk. Companies that have suffered a cyber incident almost always include who was fired as a result in the released communication. Someone must take the fall for the company. Sorry, CISOs, but it’s usually you and/or your team. Like it or not, it’s the reality.
Your reputation is at stake. I’ve told this to colleagues in the past, and they always seem perplexed. I will ask them what they would say if they were being interviewed for a job, and the interviewer asks, “I see that you worked IT Security at [breached company]. What role did you play that led to the breach?” I never want to be in that position unless I have a great answer on how we responded. If the interviewer understands IR, your answer may work to your benefit.
Hoping a cyber incident won’t occur is a nice thought, but it’s not the reality. The IR tabletop exercise is not your IRP but how you ensure you have the right plan in place.
ImagineX can help you get the IRP in place and tested with a series of tabletop exercises with scenarios tailored to your environment/industry. ImagineX’s Cyber Resilience Team offers services ranging from running a tabletop to full incident response implementations and much more.
For more information on IX Tabletops, please reach out to us!