In the same way that physical exercise makes us stronger, drills and exercises can strengthen your organization’s ability to manage risk. And just as physical fitness programs involve repetition, from weight-training “reps” to crunches, you can increase your resiliency by encouraging your team to consistently practice their risk-management processes.
As cybercrime spikes and natural disasters, including hurricanes and wildfires, become more frequent, many organizations are employing a rigorous set of practices known as “tabletop exercises.” This risk-management practice can be a crucial element of risk management planning for any type of emergency. I’d like to take a few minutes to explain what a tabletop exercise involves, how it works, and why it is an invaluable risk management solution.
The tabletop exercise, according to the Federal Emergency Management Agency (FEMA), is “an instrument to train for, assess, practice, and improve performance in prevention, protection, response, and recovery capabilities in a risk-free environment.” Widely used as part of a risk management process, it allows your team to go through the actions of dealing with a simulated cybersecurity or disaster scenario and test-run your Incident Response plan or Disaster Recovery (DR) plan.
Tabletop exercises commonly take place in a conference room. The process frequently takes an hour or two, but some organizations will “tabletop” something big for two or three days.
The exercise generally has two goals. First, if run correctly, it simply will help your people prepare for an actual disaster scenario. It’s common for security-minded organizations to run tabletop exercises to prepare for various threats, from a cyberattack compromising a piece of vital IT infrastructure to a flood or earthquake damaging a data center.
The process should be run by a risk management professional who will help your team create a Runbook, which is essentially the script for your simulated rehearsal. In it, team members are assigned roles and tasks in a series of protocols which, when executed, chart a path to safety and recovery. During the tabletop exercise, they get to practice—it’s as simple as that. Studies show that introducing a little bit of stress by putting people on the spot can help them remember what they are learning.
The second, related reason to schedule regular tabletop exercises is to identify the strengths and weaknesses in your Incident Response plan. Frequently, the Tabletop exercises will reveal holes in your Runbook that you need to address. Conducting the exercise will also test the attitudes and perceptions of your team and other stakeholders so you can make improvements. Too often, organizations learn from a tabletop exercise that some team members know way too little about risk management.
As you are probably aware, the many threats that could cripple any business are expanding at an accelerating rate. Risk management processes, including tabletop exercises, are the only sure way to guarantee that your tools and team are prepared.
I hope you found this information helpful. As always, contact us anytime about your technology needs.
Until next time,