Skip to Content

Most, if not all, business takes place through digital technology and electronic communications. Every such transaction, and all information stored and transmitted electronically, is at risk. Security incidents (any event that puts sensitive information and computer systems at risk) take many forms, including the unauthorized disclosure of personal or electronic payment information and attacks disabling or compromising computer or telecommunications systems.

Create an Incident Response Plan: Your Security “Playbook”

Because security incidents present organizations with numerous and potentially damaging financial, operational, and legal risks, creating an incident response plan is an essential part of any organization’s security program. An effective incident response plan provides a “playbook” to follow when an unexpected and unfamiliar event forces an organization to investigate and take action.

Practice Your Security Playbook

But executing the directives in a playbook doesn’t happen by accident. Just as a football or basketball team would be foolish to try out a play for the first time when facing a game day opponent, an organization cannot create and execute its response actions on the fly when confronted by an incident. When a cyberattack threatens sensitive information or critical facilities, an organization must focus its attention, time, and resources on the important stuff: identifying and containing the incident, limiting any potential harm, identifying and meeting legal and regulatory requirements and keeping the business running.

An organization must practice to prepare for a security incident or risk being caught flat-footed when a potential crisis hits. One way to practice and prepare to be game-ready is to simulate a security incident by conducting a tabletop exercise. During a tabletop exercise, members of the response team meet informally to discuss roles and responsibilities during an incident. A facilitator presents one or more incident scenarios, such as a ransomware attack, a stolen laptop, or a power failure, to the group.

Presented with these scenarios, the incident response team members can walk through their roles, responsibilities, coordination and decision-making that would take place when an actual security incident arises. The tabletop is often the first time the incident response team has met to discuss the contents of the playbook, or considered all the steps that might need to be taken in response to an event.

Apply the Lessons Learned in a Tabletop

And, similar to the way an athletic team’s practice sessions expose which areas need the most improvement, a tabletop exercise can show the gaps in security awareness, training or procedure that may require more attention.

For example, an organization may learn during a tabletop (these are real-world examples):

  • How particular threats to information (ransomware, business email compromise) could compromise the organization and its business;
  • That sensitive information is not being identified and handled properly;
  • That information and systems are not being backed up effectively;
  • The organization does not have a good handle on which third-party vendors (e.g., cloud providers) touch sensitive information; and
  • The plan does not contain contact information for necessary parties (vendors who manage sensitive information, forensics firm, law enforcement and government agencies).

And the tabletop exercise works in limiting exposure following a security incident. IBM Security’s recent “Cost of a Data Breach Report 2019” found that formation of an incident response team and frequent tests of the incident response plan were two of the top factors reducing the cost of a data breach:


Source: IBM Security's "Cost of a Data Breach Report 2019"

Conclusion: You Play the Way You Practice

While no simulation can prepare an organization fully for the unexpected risks brought about by a security incident, a tabletop exercise is a very useful way to build readiness within an organization and improve its security program.