Tabletop exercises are the best way to assess your organization’s emergency preparedness without having to experience an actual disaster. They help validate effective procedures, build muscle memory, strengthen relationships with partners, and identify critical gaps in response and recovery efforts. Too often, however, exercises fail to take advantage of all the incredible opportunities to learn, share, and improve techniques for emergency response and continuity of operations.
There is an abundance of excellent tabletop exercise resources and tools available to planners, especially the comprehensive Homeland Security Exercise and Evaluation Program (HSEEP). But these can often overwhelm a beginner. Nexight Group has conducted more than 50 tabletop exercises with diverse scenarios such as active shooter, cyber attacks, natural disasters, and physical sabotage. We have distilled the most important steps in conducting a successful tabletop exercise.
How to Design a Powerful Tabletop Exercise
1) Clarify Objectives and Outcomes. Be clear about what you hope to achieve during the exercise. However, deciding how you will use the results after the exercise is over is even more important.
2) Choose the Right Participants and Exercise Team. Assemble the security partners who manage actual emergencies to be your players. You want the key decision-makers in the room: operations personnel, emergency responders, local and state officials, vendors, and even executives. Identify observers who can contribute to discussions and use the lessons learned. Build a dynamic exercise team that brings experience and new ideas.
3) Design an Interactive Scenario and Exercise Plan. Create a solid, believable scenario that meets your objectives, but don’t get hung up on it. Time is better spent designing great questions, a detailed game plan, and an approach that will engage all players in an interactive dialogue.
4) Create an Interactive, No-Fault Space. Avoid the stiffness of a TTX by creating an environment that builds trust and encourages discussion. Declare the venue a “no-fault zone” to allow people to ask any question and make mistakes. Design the physical space to stimulate interaction. Engage all players and help them think through the series of actions that will get the best outcome.
5) Ask Probing Questions to Gain Insight. Use an experienced facilitator who can uncover key issues and discern valuable insights. Follow a good script but be flexible and responsive to the conversation. Know where to probe for additional information.
6) Capture Issues, Lessons, and Key Gaps. Don’t just rely on teams of notetakers; capture and review key points in real-time during the exercise. Use visual tools and a timeline to see how decisions unfold as an event escalates.
7) Prepare an After-Action Report. Document the exercise and next steps in an AAR. Make it stand out with clear diagrams, lists of best practices, opportunities for improvement, and lists of resources. Make it useful and readable; don’t make it an AARRRGH!
8) Create a Specific, Near-Term Plan. The best way to put learnings into action is to use the AAR to develop a simple and specific near-term plan for your organization. Don’t try to do everything at once. Start with the practical, low-hanging improvements and build from there.
9) Provide Tools and Guides to Boost Learning. This is the biggest missed opportunity for continued learning. Leverage the exercise by providing hands-on tools and guides so all participants can improve their plans. Even better, give them a scaled-down version of the exercise (A.K.A. a TTX-in-a-box) that they can run with their colleagues when they get back to the office.
As you check the boxes for your exercise design, don’t lose sight of the end game:
- Get the players right
- Keep it simple
- Use an experienced facilitator
- Maximize the discussion time
- Follow up with concrete actions
It’s what happens after the exercise that determines success.
Unique Considerations for Cybersecurity Tabletop Exercises
Nexight Group has led and planned several cybersecurity tabletop exercises. While the principles outlined above still hold for all types of exercises, we have uncovered several elements that are particularly successful for cybersecurity tabletops.
- Combine physical and cyber disruptions to create a realistic event. Failures within physical infrastructure have cyber impacts and vice versa. Deliberate attacks will likely seek to disrupt, disable, or destroy both physical and cyber assets.
- Consider the cross-sector and downstream effects of the planned disruption. Include participants from interdependent sectors who could help mitigate cascading disruptions in the TTX discussions. Tease out how degraded performance in these related sectors will affect your response efforts.
- Understand your supply chain and include the right participants in the exercise. Supply chain attacks have brought down large portions of infrastructure, often because the connections and security measures were not well understood. While it is impractical to include all suppliers, a representative sample may uncover common security weaknesses.
- Engage public and private leaders to develop norms for rapid communication. Understanding how government organizations and private firms operate in a cyber crisis can help leaders to fine-tune their decision making and shortcut communication protocols. Getting government and industry executives to quickly converge on response strategies unifies the effort and accelerates the response.