One of the biggest challenges of the cyber crisis management process is the cross-organization communication, coordination and collaboration needed throughout the crisis. Incident response teams often need to work with other teams and persons in the enterprise from different disciplines and with different priorities and goals such as; the enterprise IT team, legal, public relations, different business group owners, risk and compliance officers and more. Cyber crisis management relies heavily on internal communication. During a breach, miscommunication poses a huge risk to the response process and remediation time. Cyber Crisis Management tabletop exercises are a great tool to improve internal cooperation between various teams and business groups and reduce friction during handovers and joint tasks.

This post is one of three tabletop cyber security exercises put together by the Cyberbit incident response experts. If you’d like to go directly to the other exercises, click the desired link below.

Tabletop Cyber Security Exercises:

Overview of How to Run Tabletop Cybersecurity Exercises
Cyber Breach Decision Making
Cyber Attack Playbook

Cyber Crisis Management Tabletop Exercise

Objective: Train incident response team to cooperate and communicate effectively to improve cyber crisis management

Time: 2 hours

This exercise focuses on training the incident response team to cooperate with other teams, and includes up to two additional teams across the organization, in any cyber-attack scenario of your choosing. The course of the exercise revolves around four major events which occur in each teams’ specific domain plus one large cross-domain breach that all teams must deal with simultaneously.  The recommended time for this exercise is around two hours and divided into eight stages.

This exercise starts with a breach already underway and the training manager begins with a brief of the current status. For every event presented to the teams, each team needs to manage its own processes to respond to the event, while working with the other teams to complete its task. Each cross-organizational event should focus on non-professional aspects, which require cooperation between the teams (board debriefings, compliance audits, etc.) while each team event should focus on internal process to boost the pressure and create deliberate friction (forensics tasks, press debrief, legal review, etc.)The training manager presents an event every ten minutes, leaving the teams enough time to respond to each of the events.

Post-exercise debrief: cyber crisis management

The final stage of the exercise is the debriefing. The training manager presents the scenario and its objectives, and leads a discussion around the following questions:

  • In which areas was team coordination most difficult? What can we do to improve it?
  • Are there any steps currently performed by several teams that can be done by just one team to reduce friction?

A day or two after the exercise

You took the time, conducted the training, and summarized everything in thorough notes during the session and in the debriefing stage. What’s next? First, write up a full cybersecurity training summary, which includes the scenario, goals, outcome and lessons learned. The summary will allow you to benchmark the data against future trainings and distil the next concrete steps to take. Next, ask yourself what can be improved on two planes: people skills and procedures, and based on that make executive decisions such as scheduling skill workshops for team members and improving procedures based on lessons learned.

Lastly, don’t stop there. If you think Cyber Security Training is beneficial for your incident response team, consider investing in simulation training to improve technical and operational skills of your individuals and your team.

Additional Tabletop Cyber Security Training Exercises

Overview of How to Run Tabletop Cybersecurity Exercises
Cyber Breach Decision Making
Cyber Attack Playbook

Learn more with our Cybersecurity simulation training guide.

See a Cyber Range Training Session in Action