A tabletop exercise (TTX) measures more than an organization’s technical capabilities and adherence to an incident response plan—it facilitates the confluence of personalities and team cultures, in turn revealing friction not only in processes but also in team dynamics. The success of an organization’s response in both a TTX scenario and, more importantly, a real-world incident is not measured solely by the effectiveness of their actions but also by their internal collaboration and cooperation.
As facilitators, one metric by which we measure the performance of an organization during a TTX is the depth and breadth of engagement by the participants in the scenario. When delivering a TTX, I explicitly state that the value derived from the engagement is tied directly to the level of participant interaction and dialogue; it is only through inter- and intra-team dialogue that strengths and weaknesses can be truly identified.
In assessing this metric, we consider the following questions:
1. Are any participants dominating the conversation?
If a scenario is dominated by one or a few individuals, special attention is warranted. One-sided conversations could be the result of disproportionate expertise, seniority, or strong personalities. While none of these factors are inherently negative, the TTX facilitator must assess whether such individuals represent a single point of failure in the process. While influential individuals can positively drive team culture, that influence can inadvertently result in said processes and procedures being built around them. Thus, healthy dialogue is an indicator that a team’s knowledge and capabilities are distributed, and that an incident can be successfully handled in the absence of the usual go-to individuals.
Encouraging participation from other team members also leads to diversity of thought. Each employee has unique experience, knowledge, and strengths; taking this into consideration will not only help eliminate single points of failure but also ensure a more robust overall security program.
2. Is there a general lack of interest from the participants?
Although a lack of interest by the participants could be the result of a combination of factors, including organizational culture or even a misperception by the facilitator (especially during remote scenarios where communication takes place over a medium such as Zoom), it could also suggest the following:
- Lack of individual commitment to the organization’s information security strategy
- Lack of strategic prioritization of information security initiatives
- Siloing, or a lack of collaboration between teams
- Fear of revealing issues in processes
- Deficiencies in knowledge or experience
3. Did leadership demonstrate a vested interest in participating in or reviewing the outcome of the TTX?
Prioritization and visibility among leadership is critical for resolving issues identified during a TTX. Failure to demonstrate executive interest could indicate a lack of strategic prioritization of information security, like point 2 above.
4. Were participants comfortable revealing shortcomings or misconceptions within the organization related to the Incident Response plan, team, or technical capabilities?
- Confidence in pointing out shortcomings and gaps is important for a successful incident response program, especially when executing the Lessons Learned phase.
- Openness helps ensure that shortcomings and misconceptions are addressed quickly.
- Transparency within the organization can build greater trust among teams, which will improve processes and build morale, in turn improving the overall security posture of the organization.
In sum, the most successful (and enjoyable) TTXs involve teams who are willing to discuss shortcomings in a spirit of collaboration and exhibit interest from the top-down. Unsurprisingly, these engagements also provide the most value, as a TTX’s value is directly proportionate to the level of dialogue shared during the exercise. Where a culture of openness exists, ideas can flow freely, which is where improvements are born.