So, you’ve decided to run an executive tabletop exercise and pulled off the herculean feat of getting it scheduled. Will this be a career limiting move or career highlight? Let’s go for that latter. Done right, a good tabletop exercise will drive tremendous value for the corporation and garner you accolades.

I have yet to do one that didn’t result in significant benefits for the company. Those benefits may include identifying gaps in processes, driving a deeper understanding, clearing up misconceptions around ownership or capabilities, or at a minimum, reinforcing and validating capabilities, roles and responsibilities.

It does, however, take planning and preparation to run an effective and impactful exercise. The critical elements below lay the foundation for doing just that. But, before we get into that that, what happens if you don’t plan and execute well? The damage can range from frustrating your executives because you lose them using jargon and terminology they don’t understand or use a scenario that doesn’t resonate with them or the business – making them feel like it was a waste of time. Neither of which will help advance your career or improve your company’s incident response, preparedness and or capabilities. Not only is a good tabletop exercise (TTX) a great opportunity for the aforementioned reasons, it’s also an opportunity to build relationships, showcase your team, demonstrate business and leadership skills, and gain support.

The Critical Elements For A Successful Executive TTX:

  • Altitude: This is one of the most critical elements. This is not a technical exercise, it’s not about bits and bytes, forensics, data dumps, memory captures, or tools. The executive TTX is designed to ensure the leadership team and key partners know their roles and responsibilities and the type of decisions they will be faced with in a real crisis. Leave all the technical jargon out. Once you lose the audience it’s an uphill battle to get them back (if you ever do).
  • Context: Make sure the scenario is relevant/applicable and feasible given your company’s industry and technical maturity. The more plausible the scenario, the more it will resonate with the participants. Likewise, ensure the systems impacted are also relevant and impactful. Pulling on personal experience and real-world examples can also help drive key points home.
  • Participants: As difficult as it is, you really need the entire executive team to participate. Anytime I’ve run a TTX, and we were missing a key member of the leadership team, it showed. You risk key questions being tabled or assumptions being made. In addition to the leadership team consider having the following participants as well:
    • Outside Council
    • Your PR Firm and or communications lead
    • Your cyber-insurance provider
    • Your incident response provider
    • Board representative
    • Law enforcement (e.g. the FBI)

Also be cognizant of not having too many people in the room.

  • Environment: The location/room matters. You want an environment that is conducive to open dialog, has good acoustics, and of course, the ability to walk through a presentation. I personally like a U-Shaped seating format with a screen at the front.
  • Delivery and Moderation: The person running the exercise needs to be good speaker and listener. They must be comfortable around executive leadership. You need to know how to guide the scenario and discussion points and recognize if you are losing the audience. Case in point, during a TTX not too long ago that I was advising in (not running), I had had to jump in a few times when the lead presenter/moderator was losing the audience and was wholly unaware. When running an exercise, I will frequently stop and check for understanding. You may be surprised how often someone raises their hand to get more clarification. I also always emphasize/reinforce that this is the time and place to ask questions and make mistakes — that’s why we do this.
  • Recap: At the conclusion of the exercise, recap any specific action items identified, ask the participants what they thought went well and what didn’t as well as what opportunities were identified. Finally, Let them know you will be issuing an after-action report.
  • After Action Report: Within a week or two send a report of all key points identified, gaps, action items and what went well and of course your recommendations.
  • Follow-up: Running a great TTX is key but the point is to identify areas for improvement. Following up to answer questions or provide additional guidance is important.

I personally love running or advising executive tabletops. I find them fascinating and love seeing opportunities uncovered. I have seen CEOs jump in with great ideas and process knowledge, department heads who thought they had a good plan realize they didn’t, and an agency that was relying on another agency for key processes realize they didn’t actually know how that would or does work.

A lot of this may seem straightforward, but it’s easy to get it wrong and there is a lot at stake here. If I have learned one thing in my time here, it’s that we often struggle with the basics or lose sight of the real intention. Take the time necessary to plan and ensure you drive maximum value and impact.

Interested in running a TTX? Reach out and let’s see how we can help — whether as an independent third-party advisor or having us run one.

 

David Levine is a VP, Executive Partner for Forrester. In this role, David works with Forrester CISO/CSO and other technology executive clients to help them define and achieve their key security, governance, and business objectives. David provides tailored, actionable advice informed by his experiences, and he works with Forrester’s research, advisory, consulting, events, and data teams to bring the best of Forrester to clients.