As a CISO, you’re constantly juggling priorities. You want to ensure your organization is prepared for potential incidents and security breaches, an ongoing problem to which you may not have the resources or time to dedicate. Further, the return on investment in traditional tabletop exercises may fall well short due to a lack of realism, scope, participation, and review. As a CISO, you want to invest in something that not only future proofs you from liability for data breaches, stolen laptops, outages, and ransomware, but also improves your security posture and response plan in the process!
The CISO’s Dilemma
CISOs want this preparedness, but require practicality. You want to test every scenario, but you need actionable outcomes. The gap between these wants and needs and the gap between what must happen now and what will happen in the future is a daunting challenge, one that for many businesses leaves them filled unnecessarily with fear, uncertainty, and doubt.
Limitations of Traditional Tabletops
Traditional tabletops, when you can run them, are kind of fun, right? Maybe you get some bagels, donuts, sandwiches, and limitless coffee delivered on the day and gather in a boardroom to “choose your own adventure”. It’s low stress work. People can be clever and creative because even if we got the exercise TOTALLY WRONG, we usually enjoyed the camaraderie and what ifs. And we generated some half decent action plans documented for posterity while not needing to miss important personal events because a hacker got lucky.
But we also know the problems with these tabletop simulations:
- Static Scenarios: Pre-scripted scenarios age poorly as our threat landscape changes. Who had an EDR update causes bluescreens for a tabletop exercise before July 19th?
- Limited Scope: Too often we focus on technical aspects while neglecting the broader people and compliance considerations. And we tend to underestimate just how much communications are required during an incident to keep everyone responsible or accountable consulted and informed!
- Infrequent Execution: Annual or bi-annual exercises leave gaps in preparedness. And the cost of running tabletops the old fashioned way is prohibitive while the ROI is limited.
- Limited Return on Investment: It’s hard to quantify improvements and justify the resources spent. The “silver lining” to the storm clouds of the SEC’s July 2023 regulation is that because personal liability of executives for cybersecurity incidents has grown, there is an external motivator to invest in tabletops that formerly was missing. So rather than ROI, we can use tabletop exercises for cost mitigation.
Transforming the Tabletop: A New Approach
To bridge the gap between the desire to have preparedness with the need to have a working action plan for regulator compliance and risk management, we must evolve our approach to tabletop exercises. Here’s how:
1. Dynamic Scenarios for the Whole Business
Let’s leverage threat intelligence to remix past experiences to create new plausible and relevant scenarios. This “choose your own adventure” approach is actually a good use case that can provide a freshness to exercises so they reflect some historical context, along with current threats, and your organization’s unique risk profile. Plus an applicable end-to-end scenario will drive engagement with other teams in the organization, improving their readiness.
2. Real-World Cross-functional Readiness
Optimally, even traditional tabletop exercises should involve stakeholders from across the organization – legal, PR, operations, and executive leadership, but it’s challenging to get these people in a room, let alone for a significant portion of a day brainstorming. Instead the exercise should include these teams, but pulling them in by notifying them via the mechanisms that would be used in a real scenario, and preferably while they are going about normal day-to-day business. This holistic approach would prepare teams for the full spectrum of breach impacts, including difficulty in reaching some members and finding alternatives but also in exercising the very systems and processes you’ll rely on during an actual incident!
3. Continuous Micro-Exercises
With a modern incident management platform you can augment or replace infrequent, large-scale exercises with regular, focused micro-simulations. These bite-sized simulations can include a subset of cross-functional teams and can be integrated into daily operations, fostering a culture of constant preparedness. And properly gamified can provide team metrics and opportunities for growth and learning through experience.
4. Quantifiable Metrics and Outcomes
And speaking of metrics, implementing clear, measurable objectives for each micro-exercise allows you to track improvements over time in areas like process readiness, response time, decision-making efficiency, and cross-team collaboration. This is in heavy contrast to often-laborious post-mortems on actual incidents and can help inform you about what a “best-case” or “worst-case” response time might look like.
5. Technology-Enabled Simulations
Obviously at BreachRx we recommend training like you operate, which means utilizing an incident response platform to drive immersive, realistic scenarios. Our platform automates the operational aspects of the exercise, allowing for more frequent and complex simulations without overburdening your team.
The Transformed Tabletop: Meeting CISO Needs
By evolving our approach, we can deliver what CISOs truly need (and want):
- Relevance: Exercises that reflect current threats and organizational realities.
- Efficiency: More frequent, focused exercises that don’t drain resources excessively.
- Holistic Preparedness: Readiness that extends to the entire organization.
- Measurable Impact: Clear ROI and cost mitigation for breach preparedness initiatives.
- Adaptability: A flexible framework that evolves with the threat landscape.
Conclusion
The transformation of tabletop exercises isn’t just about improving a single aspect of your security program. It’s about creating a dynamic, ongoing process that aligns with the realities of today’s threat landscape and the practical needs of CISOs. By bridging the gap between what CISOs want and what they need, we can build and strengthen a truly resilient response program ready to face whatever challenges may come!
Remember, effective breach preparation isn’t a destination – it’s a journey. Start transforming your tabletop exercises today, and take the first step towards more readiness and less liability tomorrow.