Building Effective Tabletop Exercises

By nature, humans are imperfect. We make mistakes, have insecurities and we simply don’t know what we don’t know. If your client understands their role in your cybersecurity strategy, you have fostered a relationship of trust.

MSPs can build that trust through relevant and impactful tabletop exercises, according to Matt Lee, security and compliance senior director, Pax8 and Sarah O’Kelley, director of client services, Choice Cyber Solutions, during a cybersecurity session at ChannelCon 2024. Lee and O’Kelley demonstrated how to create a tailored tabletop exercise that provides tremendous value, boosts confidence and nurtures trust.

Related Content: The Importance of Realistic Tabletop Exercises

Prepare and Create Your Tabletop Exercise

The first step is coming up with a representative scenario. It should be realistic and impactful, without going over your client’s head. The tabletop exercise should highlight how their organization responds to an incident as a whole—troubleshooting their plans to ensure the company is as resilient as possible.

“The concept of a tabletop exercise is one size fits all,” O’Kelley said. “But individual scenarios are not.

Follow these steps to get started:

• Ask yourself questions about the risk the organization manages
• Find current examples of incidents that are in the client’s industry or sector
• Select one threat to use for your exercise
• Determine the sequence of events that would happen in that instance
• Develop an incident timeline
• Use the timeline as a guide to walk through the incident
• Create a brief outline

O’Kelley says her go-to example is usually phishing or social engineering because we know that’s how systems get breached. And making it real, really hits home.

“When you timeline the sequence of events that would happen in a given incident, you’re trying to tell a story. The gaps you leave in that story will cause problems,” Lee said. “You need to create those injects.”

The duo also suggests allowing at least 90 minutes for a single incident meeting, but cautions that 2+ hours is too long, noting that you need participant engagement, attention and energy. From a security standpoint, these types of exercises should be held more often than just once a year. “Our brains retain information for only so long,” Lee said. “Once a year doesn’t cut it.”

O’Kelley said that breaking it down into smaller chunks is acceptable, especially for clients who have never participated in a tabletop before. “You want them to feel confident and feel like they have support,” she said.

Of utmost importance is having the right people at the table. Both O’Kelley and Lee encouraged getting as many decision makers at the table as possible. Of course, getting named roles in the incident response plan is ideal. You want the people in the room that would actually be involved if this incident were to occur.          

Facilitate the Tabletop Exercise

Once you’ve created a tabletop exercise that is tailored to your client, it’s time to run it. Make sure you have a slide deck (if virtual) or a flip chart or whiteboard (if in-person) for an assigned note taker to write down key points throughout the exercise. The note taker should not be part of the exercise, but should understand what is happening, record what’s being said by whom and identify the points in the process where people don’t know what to do. This is critical for improving processes down the road.

Set the Stage

Introduce the tabletop exercise as a role-play scenario and give your client the benefit of letting them know this is a zero-stakes game. “People get very nervous, especially with a range of roles (like the CEO) in the room,” O’Kelley said. Emphasize that the goal is to run through their plans and processes to determine how to either structure a basic incident response process moving forward or refine their techniques and bring practices up to date.

Establish Ground Rules

Designate a role for each person or group at the table. These roles should align with the organization’s team with regards to managing incidents. Roles may include:

• CEO
• CTO
• CISO
• IT director
• Legal team
• Client services
• Business development lead
• IT staff

These do not have to be the same role that the person actually holds, however it does make for a simpler process to have people assigned to perform the same role they would during an actual incident.

Encourage participants to stay true to their roles. For example, if the CEO is the person that would make the decision on notifying the legal or external forensics teams, nobody else at the table can make that call; they would have to present information to the CEO to determine when to act.

Kick It Off

As you’re facilitating the tabletop exercise, ask these questions to engage the participants and dig deeper:

• Who: Who would notice this? Who to report to? Who to call in to assist?
• What: What actions will you take? What is your backup plan? What tools will you use?
• When: When do you report to regulatory boards? When do you call your cyber insurance?
• Where: Where are you gathering everybody? Where are you accessing your plan?
• How: How are you going to recover? How will you communicate with your clients?

Curate Lessons Learned

Immediately after the tabletop exercise, you’ll want to talk through what went well and what didn’t. This is called a hotwash. Discuss the resources they had at their disposal, if the right people/roles were involved and where the process broke. It’s also important to highlight areas of strength for the team, as well as for each role.

“From a facilitation perspective, we don’t walk away with people thinking they did bad,” O’Kelley said. “Call out anything that they did well because you want to continue that behavior.”

“I will never leave a tabletop exercise without something positive to say to that client. You need to end with something positive,” Lee said.

Then, follow up in about two weeks.

“As an MSP this is your opportunity to spell out how you can help fill those gaps and support the places of weakness. The longer we keep clients feeling like we are their partners, the longer we keep clients,” O’Kelley said.

Lee agreed. “This is a great way to say to your clients, ‘here’s how you can contact me, here’s what you do if something happens.’ Don’t miss that you can kill two birds with one stone, as a response to these exercises.”

Regardless of where your clients are in terms of cybersecurity maturity, tabletop exercises can be useful. Help them understand that incidents can (and do) happen. If they have a plan, take it, have them run a tabletop against it and look for areas of improvement.

One of the keys to successfully weathering an incident is teamwork—the ability to communicate and get to the right people at the right time. You cannot replace the value of the communication they will build with each other to prepare for an incident. It’s about testing organization resilience as a whole. You are helping the organization get stronger—and that is invaluable.

New! CompTIA Community Cybersecurity Guidebook for MSPs: Best Practices for Protecting Clients