5 steps to stronger cyber oversight and action: Running tabletop exercises for your board
If a cyberattack took your operations offline, how solid is your business continuity plan? And is your team ready to share the right messages on reputational risk and revenue loss?
If a cybercriminal is holding customer or employee data for ransom, how will a breach impact regulatory compliance? Just as importantly, do payment plans align with your cyber insurance policy?
In today’s cybersecurity landscape of heightened risks and heavy repercussions, boards often take the blame for mistakes and mishaps. You need to be ready for anything — and that’s where tabletop exercises come in.
These face-to-face, high-intensity stress tests offer an opportunity to practice next steps and short-term recovery in a risk-free environment. The discussions that follow uncover weaknesses and gaps critical to long-term resilience. They can inform strategic decisions about resource allocation and build stakeholder confidence by demonstrating how seriously you take risk, data security and your fiduciary responsibilities.
Tabletop exercises are an investment. They require the time and attention of some of your organization’s most important figures. Yet the benefits of running regular tabletop exercises far outweigh the costs; if an actual incident occurs, your company will know exactly who needs to do what, and when. This preparation can help de-escalate a potentially catastrophic situation.
Real-time tabletop exercises provide a unique, outside-in perspective on cybersecurity, helping boards find vulnerabilities they’d otherwise miss. Here is a five-step walkthrough for productive tabletop exercises.
5 steps to stronger cyber oversight and action: Running tabletop exercises for your board
1. Establish the who, where and when
Any tabletop exercise starts with bringing the right people to the table.
For testing your organization’s cybersecurity readiness, your invite list should include at least these key players:
- The CISO leading incident response
- The CEO overseeing everything and keeping the board informed
- General and outside legal counsel ensuring the organization adheres to legal requirements, coordinating with law enforcement and advising on all communications
- A CMO, communications professional and/or investor relations professional to handle media requests and coordinate communications
- Board members to ask questions, review reports and provide oversight — and ultimately deliver the organization’s high-level response to the incident
- The board chair to identify the organization’s risk appetite and sign off on communications with major investors, shareholders and customers
Cybersecurity team players for mission-driven organizations
Nonprofits, charities, local governments and educational institutions will include similar roles and responsibilities in their tabletop exercises but with different titles. To make sure your organization has comprehensive representation, add the following to your team rosters:
- Council member, clerk and city manager for municipal boards
- Superintendent, president, principal and administrator for schools and districts
- Trustees and volunteer board members for nonprofits, foundations and charities
During the exercise, these participants perform their regular roles and responsibilities, discussing and initiating actions in response to the simulated emergency. Facilitators moderate interactions and play the role of all outside forces, answering questions and providing updates on the simulated situation. Facilitators may also bring in subject matter experts or observers to provide extra realism and support.
One vital but often-overlooked team member: notetakers. They should be equipped with pen and paper or a fully charged laptop for documenting discussions and activities for future reference.
After you've decided who should attend, establish a time and place. Block out up to two hours, ideally in a single meeting, and pay attention to participants’ time zones when scheduling. Set up a meeting room with the necessary A/V capabilities and high-speed connectivity — and keep accessibility top-of-mind for in-person and virtual attendees alike.
Finally, assemble the materials participants will need throughout the exercise. These likely include a copy of your organization’s cyber insurance policy, incident response and business continuity plans and templates for crisis communications.
2. Create your scenario
Now it’s time to design the heart of the exercise: the simulated threats your board and leaders will need to respond to.
The event should kick off with a plausible form of emergency alert. That might be a phone call reporting a data breach or an email identifying unusual network activity. Think about what threats are likely and trending in your industry and draw on real-world situations and lived experience — including the experience of SMEs.
Unfold elements of the attack in phases, as would likely take place in an actual cybersecurity breach. Common stages include:
- The incident itself
- The investigation
- Assessment of impact — on regulatory compliance, reputation, revenues and beyond
- “Injects” of new developments, like a ransom request after a data breach or a new compliance concern after learning the provenance of your attacker (is the company or jurisdiction on a sanctions list?) or the type of data that was leaked
- Response and recovery
Finally, incorporate quick “knowledge checks” throughout, like multiple choice questions or “select all that apply” checklists. These assess learning and progress.
As Nathan Mains, CEO, Pennsylvania School Board Association points out, “It's the ability now to have a system … a very consistent approach, and be able to go and kind of hit reset and go back, and the system will react differently as you learn as the participant in real life, so that you can kind of see how you've learned to make those changes.”
3. Put the exercise into action
With the plan and components in place, it’s go time! Even though these scenarios are fictional, instruct participants to act as though events are really happening. Encourage open communication and active participation: asking for clarification, questioning assumptions and more.
Framing is important to the exercise’s long-term value. Reassure participants that this is a learning experience, not a blame game. They should expect to make missteps and identify gaps — that’s what this experience is for, and it’s better to find them now instead of during a real incident.
4. Talk through how everything went
The after-action review is your opportunity to discuss what went well, challenges you encountered and areas that need improvement. Some key lessons your team might extract include answers to the following questions:
- Did the CISO’s briefing include all necessary information, and did board members ask the right questions in response?
- How well are departments communicating and coordinating throughout the response process? Are there any missing steps in their processes or missing links in the chain of command?
- Are incident response, business continuity and communication plans up to date and up to the challenge? Are there gaps to fill or amendments to make?
5. Put your learnings to work
Too often, organizations conduct a tabletop exercise only to leave valuable learnings behind in the event notes. Other times, they fail to implement necessary changes to their response, recovery and communications plans until it’s too late.
For this reason, treat tabletop exercises as an ongoing journey, not a one-and-done task or standalone item to check off your to-do list. Incorporate findings into your policies and procedures. Use feedback to guide future investments and improvements. And regularly update your scenarios to reflect evolving threats and technologies.
The Diligent One Platform streamlines tabletop scenarios and solutions
If this all sounds like a lot to keep organized, updated and secure, you’re right — it’s an exercise that demands comprehensive tools and resources that are up to the challenge.
This is where the Diligent One Platform comes in, centralizing and unifying all board management and GRC operations into one convenient, accessible place, from market intelligence to AI-powered risk data and analytics.
The Diligent One Platform is also your one-stop source for board education and certification programs, to equip leaders with the essential skills they need to tackle ever-evolving governance challenges and opportunities in cyber risk and strategy, human capital, compensation & culture, AI ethics and more.
Our Cybersecurity Education and Templates Library is your go-to resource for mastering the knowledge and tools you need to safeguard your organization in an ever-evolving digital landscape. Whether you’re a seasoned director, a forward-thinking practitioner or a leader ready to embrace the future, our short courses, best practice templates and videos empower you to confidently strengthen oversight, mitigate risks and comply with regulations.
You will also be able to access a ready-made simulated tabletop exercise – this can either be run individually or as a simulation in a board meeting, to enhance the board’s cyber literacy.
In today’s cybersecurity climate, tabletop exercises are an ideal opportunity to lead by example and keep your board prepared and proactive. Schedule a call with Diligent to talk about the Diligent One Platform and available educational resources for your board and executive leaders.
Attend the Cyber Security Summit!
The Cyber Risk Virtual Summit (February 5-6, 2025) is an unmissable free event for leaders committed to shaping the future of cybersecurity governance.
Find out more