One of the most frequently quoted numbers in cybersecurity is $4.35m – the average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2022. Another less-known statistic from the same report is also worth discussing: businesses with an incident response (IR) team and a regularly tested IR plan can lower the cost of a breach by as much as $2.66m on average.
Traditionally, incident response plan optimization and team training involve cybersecurity tabletop exercises (TTX) – the fire drills of information and cybersecurity. While tabletop exercises are a proven tool for finding gaps in an organization’s security posture, they can be painstakingly challenging to plan and implement effectively and efficiently.
In a time where information security teams are understaffed and overworked, are TTX still worth the time and resources? Or are there other ways to ensure incident response team and plan readiness?
Are we Playing Make Believe?
Tabletop exercises provide an effective way to test and improve an organization’s preparedness for cyber-attacks. They enable organizations to assess the effectiveness of their IR plans, facilitate teamwork and collaboration, and train personnel in a simulated environment. TTX are vital for enhancing an organization’s ability to respond to emerging threats while considering organizational changes (role changes, supply chain risks, newly integrated defenses, etc.) between exercises.
You can’t replace tabletop exercises with technology. Even though most senior security leaders believe that the best way to prepare for a crisis incident is to buy more tech, software cannot ensure effective communication and collaboration among stakeholders. The ability of software alone, advanced as it may be, to identify deficiencies in your IR plan and train personnel in responding to incidents is very limited.
No Free Lunches in Cybersecurity
Over a third of organizations say they space their TTX a year or two apart. But that may not be due to dislike or ineffectiveness of TTX. Tabletop exercises are notoriously tricky to plan, conduct and, most importantly, analyze in a way that drives actionable optimization of IR plans and tech buying decisions.
Depending on the scope, length, complexity and number of participants involved, an average tabletop exercise can cost an organization anywhere from $30,000 to $50,000. Moreover, even if you allocate the budget and ensure the participation of all key stakeholders, you will have to invest a great deal of effort to design exercises that can simulate the intricacies of real-world cyber-attacks.
How to Leverage Tabletop Exercises in 2023
Cybersecurity threats and risks evolve, but cyber and information security fundamentals won’t change anytime soon. The goals of TTX are still the same:
- Test your IR plan
- Train relevant stakeholders
- Produce an after-action report detailing the gaps identified in the TTX
It’s all good in theory, but information security teams are understaffed, underfunded, and frequently underskilled. They are a tough crowd to engage in make-belief, even if it is vital to the organization’s overall security posture and their own workflows in cases of emergency. So, how can you employ TTX as part of your IR strategy without ruffling feathers or going over budget? Here are a few tips:
- Designate a Leader: Any TTX needs an exercise facilitator. However, designating a head of TTX in your team can ensure continuity and ownership. The person in charge can investigate scenarios, tools and services to run TTX and action the conclusions.
- Take it Apart: Lengthy and complex TTX scenarios that demand all-hands-on-deck participation are nearly impossible to schedule. It’s much easier to conduct 15-minute sessions with summaries sent to stakeholders whose attendance is optional. Moreover, attacks often consist of seemingly unrelated events that take place over time. Simulating these events in context can help train your team to keep an eye out for suspicious activity in the logs or alerts.
- Employ AI: If you haven’t spent the past year living under a rock, you should be well aware of the impact of generative AI and ChatGPT on technology industries. Regarding TTX, you can use AI to create realistic scenarios, automate attack simulations, and analyze the results.
- Make it Continuous: Annual exercises are not enough. To nurture a cybersecurity culture in your organization and optimize your incident readiness, you need to make TTX an ongoing process with frequent and short sessions that keep the players engaged. You can even run multiple TTX scenarios concurrently, with short war-room sessions focused on key aspects of each event in the attack chain.
Tabletop exercises will remain relevant for incident readiness optimization as long as humans are involved in intercepting and remediating cybersecurity attacks. As attacks and technologies evolve, so should TTX strategies and tactics. By turning TTX into a continuous process, designating an owner and employing innovative tools, you can make the best of tabletop exercises in 2023 and beyond.