We're in a bit of a bind. We have our incident response plan set up and we do alerts and postmortems, but we've never actually done a proper tabletop exercise. Lately, some of our bigger customers are starting to ask about how we test our incident response, and I'm realizing they're looking for something more formal than just saying that we manage incidents. I'm not opposed to doing tabletop exercises, but they tend to feel like just another chore that leads to more paperwork.
So, I'm looking for advice on how to conduct these exercises in a way that doesn't feel cringe-worthy or pointless. Any tips on how to keep them engaging and useful?
2 Answers
Embrace the concept! Think of it as a fun board game, but tailored for your business. As someone who's run these before, being engaged as a participant makes a big difference. It can be awkward for the facilitator, so your involvement can help it feel less stiff and more enjoyable.
Keep it simple! Choose a specific scenario like a phishing attack or a ransomware incident. Walk through the roles, the decisions to be made, and how communication flows. The goal isn’t to put on a show; it’s to identify gaps in your plan before a real crisis happens.
Yeah, and make sure you focus on the details of how you would actually respond in a real situation. It’s all about knowing who does what when things go sideways.