Cyber security table top exercise – Just do it.

The focus of corporate cyber security risks are now being shifted from prevention to enhance detection and incident response readiness – as you can’t stop attacks. Many organizations are still struggling to combat cyber risk as business grow increasingly virtual, they’ve more territory to defend. According to the BCG study of 50 recent major data breaches found that only 28% were caused by inadequate security technology. In the vast majority of cases—72%—the breach was the result of an organizational failure, a process failure, or employee negligence. Cyber security Tabletop Exercise (TTX) evaluates your organization’s cyber crisis management processes, tools and proficiency in responding to cyber attacks from both a strategic and technical response perspective.

Begin to understand TTX program

Organizational business continuity program should mandate CISO or CIO business units to have TTX periodically to rehearse the cyber security incident response plans. Business units should begin understand that the maturity of TTX program depends on below listed considerations

  • Budgets
  • Resources (Personnel) – include non technical groups (HR, Legal, Vendors, etc.)
  • Skill sets and Expertise
  • Executive Support
  • Incident Response documents – strategic and technical aspects
  • TTX facilitator

Cyber security TTX program bring key stakeholders together to work through a real data breach scenario for the purpose of testing pre-planned actions. This format facilitates a holistic view of strategies and tactics, and allows participants to assess sufficiency and effectiveness, identify gaps, and suggest improvements. Usually, a skilled facilitator guides the discussion to keep participants focused on exercise objectives and may introduce new challenges for participants to address as the scenario unfolds.

Cyber security TTX development process

Cyber Security TTX is intended to generate discussion of various issues regarding a hypothetical, simulated cyber incident. TTXs can be used to enhance general awareness, validate plans and procedures, rehearse concepts, and/or assess the types of systems needed to guide the prevention of, protection from, mitigation of, response to, and recovery from a defined incident. Generally, TTXs are aimed at facilitating conceptual understanding, identifying strengths and areas for improvement, and/or achieving changes in perceptions. The below diagram depicts the TTX development process

Starting with engage phase, where facilitator begins with selection of TTX objectives that are derived from corporate cyber security strategy or past cyber security incidents. For example, throughout the exercise – examine the roles, responsibilities, authorities and actions that would be used during cyber security incidents and identify gaps.

Team and stakeholder composition is important during the TTX development and execution of exercise. The facilitator should ensure that TTX team comprises of program director who serves as exercise manager, chief planner and convener; program designer who creates situation manual(s) and any other document to conduct exercise; program evaluator responsible for ensuring notes and observations are recorded throughout the exercise and provide feedback to program director; logistics manager responsible for venues, supplies (food, notepads, etc.), equipment (power point, video conference, virtual meeting services, etc.). TTX stakeholders comprises of cyber security department, IT department, Human resources, Legal, Corporate communications and marketing department, etc. who will be involved in real world cyber incidents.

Cyber security TTX scenarios shall be selected considering variety of cyber security incidents. For example, (a) Compromise of personally identifiable information (PII); (b) Cyber attack on IT/OT system; (c) Ransomware attack, etc.

Exercise design during execute phase invokes scenario development process and injects to represent new development or incident that build sub scenarios. The situation manual drafted should have exercise structure, guidelines and assumptions.

Conduct exercise triggers the stakeholder and TTX participants to interact and execute the simulation of documented incident response plans, playbooks and process. The program evaluator observer the participants decision making process, record actions and collect exercise data. Upon completion, the stakeholders and participants can hold ‘hot wash’ – that allows to provide feedback on how they performed.

Evaluation helps review the exercise and gaps identified shall be noted for improvement plans.

Measuring success with Cyber security TTX

The level of participation and greater audience with variety of expertise to combat cyber security incidents quantify the success measurements. Some of they key success criteria are depicted in below diagram

Participation in TTXs gives leaders and others an understanding of their cyber security posture, and it helps create a culture of cyber resilience that benefits the entire organization.