Maximizing Cyber Resilience: The Power of Tabletop Exercises in Information Technology

MGM Resorts, one of the world’s largest gambling and hotel firms, shut down its systems on September 11th, 2023, after detecting the impacts of a cyber-attack—hackers later confirmed they stole customers’ personal information. 

The attack is expected to cost the company $100 million. 

It seems no one’s safe from cyber threats and data breaches—they’re looming everywhere, even if you follow every safety protocol in the book. And while you do everything you can by updating passwords and investing in employee training, it's also in your best interest to run simulation exercises to prepare for when an incident occurs. Since you can’t 100% guarantee your company’s safety from a cyber-attack, how much mitigation impact can you have? How much money can you save from not having users’ personal information leaked? How much time can you save from knowing what to do ahead of time, rather than scrambling at the last minute?  

If you’re curious, you’re in the right place. This article will explore what tabletop exercises are, their benefits, and how you can implement them into your organization to further fortify your cyber defenses.  

What are Tabletop Exercises? 

Tabletop exercises (TTX) are simulation tools used to test and enhance an organization’s ability to respond to emergency situations. They often take place in the form of group discussions in controlled, informal settings, such as classrooms or large meeting rooms, where key team members are assigned roles (they can vary from their day-to-day ones) and must carry out their designated responsibilities accordingly. Participants are encouraged to work collaboratively through each hypothetical scenario by audibly analyzing, discussing, and strategizing their response strategies with their peers. The end goal of TTX is to evaluate your organization’s ability to detect and respond to cyber-attacks to better protect your employees, environment, and customers and to keep your business safe.  

4 Benefits of Tabletop Exercises for IT Departments 

Tabletop exercises force companies to evaluate their current processes and procedures, and find any holes (read: areas attackers can sneak in). It makes them prioritize what needs to be changed within their cybersecurity protocols—addressing critical issues before they escalate.  

1. Risk Identification: Simulating realistic cyber threats allows organizations to identify and assess potential real IT risks in a controlled setting. In doing so, they can evaluate their current security protocols and identify where any vulnerabilities lie—a proactive approach to IT. 
2. Effective Collaboration: When a cyber incident happens, it’s important teams know how to communicate and collaborate effectively with one another. TTX offers the opportunity for cross-functional collaboration to allow IT, legal, communications, and other key departments to work together and practice coordinated responses. The better they can communicate during an actual cyber threat.  
3. Training and Development: Tabletop exercises provide training opportunities for IT professionals to test their skills (and learn more!) in a hands-on manner. This exposure will benefit employees in the long run, as they’ll have a deeper understanding of their roles and how to respond (in both technical and non-technical ways) confidently to cyber incidents. For leaders, this is especially important, as they’ll practice making quick, informed choices under pressure—enhancing their decision-making skills. 
4. Policy Evaluation: A lot of companies let their cybersecurity policies collect dust. They spend loads of time building these protocols, but don’t have any idea about their effectiveness until a threat is detected. A TTX allows organizations to test their policies to identify any gaps and weaknesses they may have—leading to stronger, more refined policies that can protect them during cyber threats. 
   

How to Plan a Tabletop Exercise for Your Organization 

While the complexity of the exercise (e.g., how many people are involved in the simulation) and the goals set will vary from organization to organization, the format used to ensure the objectives are met will remain the same across the board.  

TTX Roles 

• Participants: Actively participating in solving the proposed cyber threat. They should be pushed to engage in conversation and to explain their reasoning behind their thoughts and choices. Roles will be assigned based on current roles within the company (engineers won’t be pretending to be emergency communication specialists). 
• Facilitator: Controls the pace of the exercise. Also oversees the addition of information and data as the simulation plays out. Responsible for creating discussion among the participants.  
• Observers: Participate when asked. Mostly observing and watching how the exercise plays out
• Evaluator: Assists in the post-TTX assessment of what went well and what needs to be improved. Responsible for identifying strengths and weaknesses. 
  

TTX Flow 

• Introduction: The facilitator will set the stage for participants by outlining the purpose of the TTX, the objectives to be achieved, and any specific scenarios or conditions that will be simulated. During this time, you will also provide an overview of the ground rules (e.g., this is a simulation exercise, not a real-time incident). 
• Set the scene: First and foremost, scenarios need to be realistic enough to mimic potential real-world cyber threats. Your goal in running a TTX is to simulate what your employees would do in the event of a threat occurring—prepare them accordingly! When creating a scenario, don’t be afraid to challenge participants! You want them to think critically. Also, you may add additional information as the simulation goes along to keep it dynamic (just like you won’t have all information at once in a real event). 
• Roles and responsibilities: Assign participants specific roles. Their roles should be related (doesn’t have to be their exact role) to what they’d do in a real-world situation of a cyber threat at your company. Include all relevant key stakeholders (IT, security, legal, communications, executive leadership) and clearly define their roles and responsibilities so they can effectively contribute to the exercise.
  
• Pass go: Let participants begin engaging in discussions and the decision-making process to handle the theoretical cyber-attack. 

• Mid-simulation observations and updates: Feel free to ask participants to share their thoughts or propose actions to take in response to the simulated event—this should be very hands-on. As the facilitator, you can inject as needed with events or information that are important to the simulation (e.g., a change to the organization’s environment or the identity of the hacker). Make sure participants document their actions, rationale, and decisions—this will be helpful in the post-exercise analysis.  
• Debrief: Once the exercise is completed, give participants an opportunity to reflect on the simulation. What went well? What didn’t go well? What are some areas for improvement? It’s up to facilitators to guide the discussion and to highlight any additional key observations or lessons learned. 
• Document the TTX: Build a follow-up document that assesses the effectiveness of the TTX, based on the previously defined objectives in step 1. Topics covered should include: lessons learned, key findings, recommendations (ex: employee training), incident response speed, communication, coordination, and decision-making.  
• Follow-Up and Action Items: Once the simulation has been analyzed, identify any follow-up actions and improvements that need to be made. Common examples include cyber policy updates, IRP adjustments, and employee training. Ensure your organization applies the lessons learned in the TTX, follow up on what went well, what didn’t, what was learned, and what’s being done. 
• Regularly Review: Review and update your IT tabletop exercises regularly to best prepare your team to respond to emerging threats and technology changes.
  

Proactive IT Solutions 

The biggest drawback of IT tabletop simulations is just that, it’s a simulation—it's not real. No matter what you do as a facilitator to inject information or set the scene, no one’s sweating thinking they’re going to lose their jobs over the simulation. Feel free to add incentives or up the stakes to increase the energy and participation with rewards or gifts. That said, it’s important to understand and stress the value upfront. A cyber threat may not actually be happening, but performing well in a mock scenario will improve an employee’s response time and confidence when one does happen.  

Organizations must invest in proactive IT responses to protect their information technology infrastructure (a good starting point is to run a TTX once per quarter). Cyber threats are happening too often for them to not. Tabletop exercises are a great place to begin. They provide controlled, collaborative environments to test and refine IT incident response strategies. In embracing tabletop exercises for IT departments, companies are increasing employee confidence, enhancing team collaboration, minimizing the impact of potential cyber threats, and empowering their users with better, safer IT solutions.