Cybersecurity Blog | Ingalls Information Security

Why Tabletop Exercises Are Critical to Your Business Security Strategy

Written by Jessica Owens | Jul 25, 2022 4:00:00 AM

Creating and implementing a comprehensive risk management strategy is a critical piece to managing and mitigating cybersecurity threats and breaches within an organization or business. Now more than ever, security should be integrated into every department to ensure compliance, consistency, and understanding of best practices.

A critical component of building a comprehensive, well-planned risk management strategy is conducting regular tabletop exercises (TTX). Not sure where to start? Read on to learn why incident response plans are a critical part of a risk management strategy and how tabletop exercises are used to test an incident response plan.

What Is a Tabletop Exercise?

Gone are the days where one-and-done safety training videos and pamphlets suffice for the tools we use and the (now digital) workspaces we belong to. In the current landscape,  technological convenience for the user means technological complexity under the hood, and this opens up unprecedented avenues for vulnerability exploitation. For an organization, it’s now critical to know not only what internal and external activities could potentially bring malware throughout your entire network, but how you will be equipped to handle that incident, no matter the circumstances. How do you prepare for the worst? As they say, practice makes perfect. The purpose of a TTX is to equip your team with the skills and knowledge to mitigate threats and attacks. A TTX is a hands-on interactive exercise where an incident response scenario is presented and it’s up to you (and your team) to navigate the crisis.

“[A TTX] is excellent training and a learning opportunity for [the] team, as well as being a brief review of relevant policies to look for areas of improvement and evaluate preparedness.” – Scotlyn Clark, Director of Cybersecurity Professional Services at Ingalls

Being prepared takes practice, as practice builds excellence of skill and response. This concept is embodied by top performing sports teams, military units, and even schools. Remember fire and earthquake drills? A fourth grader doesn’t know how to respond in emergency situations until they’ve practiced the drill over and over. The same rings true for organizations that have been breached. Training for what could go wrong, knowing what could be affected, and what remediation and recovery looks like is essential to security excellence. A properly prepared and executed TTX will address potentially complex issues and stress-tests your organization's level of performance. How you react, when you relay information (and to whom),  and what you know or don’t know all play a role during an incident.

Why Is a Tabletop Exercise Important to Your Business Security Strategy?

Here’s the bottom line: Everyone thinks it won’t happen to them. Budgets, time, and avoidance are all excuses that put off implementing critical practices that will protect your organization and company. Oftentimes, companies don’t understand the full value of a TTX until it’s too late. 

Given the rapid discovery and disclosures of Zero-Days that make the headlines (and the countless other emerging threats that don’t, but nevertheless prevail in cybersecurity community discussion), consider the risk your organization is potentially accepting because of assumptions made about ROI and other budgeting priorities, unresolved time management issues, and especially assumption of safety from targeting by a threat actor. If your organization provides a service, you are part of the supply chain, and the likelihood of being targeted is quite real. Consider also that smaller businesses and organizations make good practice for threat actors. Disrupting or destroying your business with ransomware or other cyber attacks makes no difference to them if they can quickly field test new iterations of their preferred methods of onslaught with your intranet.

“Organizations of all sizes can be the target of malicious actors. SMBs are an ever increasing target, and compared to large organizations, are oftentimes less equipped to deal with incidents.” – Stephen Gutleber, Senior Cybersecurity Consultant at Ingalls

Still not convinced a TTX is right for your organization? Ask yourself these questions and if you don’t know the answers, it’s time for a TTX. 

  • What are the steps you need to take when a cyber attack has occurred?
  • What PII do we (own/host/have) and how do we currently protect it?
  • Has the overall data we (own/host/have) gone through classification identification?  
  • How long would it take for us to respond to a cyber attack?
  • How long would it take for us to recover from a total or partial loss/compromise?
  • When do we contact law enforcement when we are targeted with a cyber attack?
  • How will cyber insurance impact our response to a cyber attack? 
  • Who are our designated incident responders?
  • Do we use MFA? 
  • What data backup systems/mechanisms are in place and how often are they reviewed?
  • When was the last time all employees were trained on reporting policy and procedures?
  • What is our contingency plan for service failure/outages? (Don’t forget to include internal comms in that answer)


What to Expect During a Tabletop Exercise

The cybersecurity industry recognized standard framework of incident response and TTX guidance  is defined by National Institute of Standards and Technology (NIST) Standard Publication (SP) 800-61 Revision 2, and is therefore the ideal methodology to follow when conducting a TTX.

A tabletop exercise will be staged in such a way as to reflect the NIST Incident Response Lifecycle:  

  • Preparation & Planning
  • Detection & Analysis 
  • Containment, Eradication, & Recovery
  • Post Incident Activities


As all voices participate, the organization will grow to understand facets that may not have been recognized before, as well as forming a group cohesion that will strengthen the organization as a whole. 

Post-Incident Activities

Eventually the conclusion of the exercise arrives, but the work is not finished. Notes should be reviewed before leaving, and communication should flow with all involved in order to tackle the Lessons Learned. During and after a TTX, it is important to accurately communicate capabilities, strengths and weaknesses, and dedicate resources to addressing any action items.

Action items are developed through the observations made during the TTX. They are clearly defined tasks which could harden the security of the organization, reduce risk, and alleviate/resolve communication and operational bottlenecks. For the best possible outcome of any TTX, action items will be built into a project plan, and addressed. Having effective project plan management and control implementation when addressing any action items is paramount to the safety and security of your business or organization.

How Do You Conduct a Tabletop Exercise?

While it is entirely possible to conduct an in-house only TTX, we highly recommend enlisting the services of cybersecurity professionals who can provide a high caliber of expertise to help your organization strengthen its security posture. 

At Ingalls, our processes are rooted in the hands-on experience of conducting real-life IRs and the daily security operations that protect our clientele.  Our Security Operations Center Director and Lead IR Responder, Cyrus Robinson, is committed to high-quality service, rapid response, and developing trust with our clients. 

“A TTX with Cyrus Robinson is unlike any other exercise I’ve experienced. Our team’s years of hands-on experience with incident response gives us so much expertise and unique perspective on providing realistic scenarios and quality insight to risks/vulnerabilities when performing our TTXs.” – Scotlyn Clark, Director of Cybersecurity Professional Services at Ingalls

We believe that communication is key to all successful relationships, and so when you enlist our services, expect our team to be with you every step of the way. For a TTX, that means both round-table conversation as well as clear and concise documentation is provided to your organization to help address industry specific threats and regulatory compliance requirements. Ingalls provides clients with a summary report of recommendations and areas for improvement, and encourages clients to thoroughly review and ask any questions for clarification.

So, how  often should a TTX be performed and how long will one  actually take?

The recommendation is to annually perform tabletop exercises or more frequently if time and resources permit, or if any significant changes in the organization have taken place. Those significant changes may include business mergers, incorporating new vendors, and or incorporating new technology solutions. 

Regardless of the reason you decide to implement a TTX into your strategy, Ingalls Professional Consulting Services approaches every client uniquely and tailors solutions based on the requirements and motivation of your organization. This means the actual time it takes to plan and execute a TTX can vary from 10 to 30 hours developing, researching, and preparing scenarios, and then creating the supporting documentation and presentations for the actual exercise. 

Next Steps

Don’t wait to experience your organization’s incident response maturity the hard way. Tabletop exercises are an excellent method to both test the assumptions and address the unknowns of your organization’s risk management/acceptance against internal and external threats. Make them  a part of your regular security auditing to maximize your organization’s risk management strategy. Contact the experts at Ingalls Professional Consulting Services for more information today.