USA – NEW YORK Trends and Developments Contributed by: Evan Roberts and Meredith Griffanti, FTI Consulting, Inc.
spot gaps in existing plans and identify tested solutions to improve overall response capabili- ties. Even if the exercise is internal-led, it is often helpful to have external partners engage in the exercise as participants – much like they would in a real-life scenario. Having the people who will be called upon during an incident in the room (or virtual room) helps to build rapport between teams and experts who will all be in the trenches together during a highly stressful situation. Indi- viduals from inside the organisation and exter- nal experts typically do not want to be shaking hands for the first time on the same day that the crisis is on the doorstep. And, the importance of having the outsider-looking-in perspective can- not be understated. Commit to a path forward Comprehensive cybersecurity preparedness is an ongoing, iterative process that takes con- tinual testing, reassessing, and updating. Pro- gramme owners or sponsors should document lessons learned and implement a plan for regular programme maintenance and training. An organ- isation’s risk profile changes, its personnel come and go, and the cybersecurity threat landscape evolves. One exercise is great, but regular train- ing is better. Companies should not let perfect be the enemy of good. It is important to keep the conversation going and the readiness plan improving. Done well, tabletop exercises make cybersecu- rity crisis response teams more prepared and organisations more resilient. By ensuring: • plans are tailored to the organisation; • the right people are at the table; • an effective sponsor takes ownership of the exercise; • appropriate outside experts are tapped; and • the organisation commits to a path forward.
Organisations can enjoy multiplying return on investment through these important prepared- ness exercises. Putting it Into Action – Where Things Go Wrong Those are the building blocks of a sound cyber- security tabletop exercise, and with those five core steps in place, organisations can be assured that they will glean at least a handful of real, actionable insights that will strengthen their readiness – and resolve – when they face the real thing. But can a tabletop actually move an organisation backwards in their preparedness journey? Or can it expose some real deficiencies that cannot be fixed by a few refinements to the plan? The unfortunate answer is yes. Below are a few ways that tabletops can (and have) gone disastrously awry. • The company brings the right people to the table – and embarrasses them. This sounds like an easy one to avoid – after all, exercises are intended to be opportunities to learn, not tests to try to navigate. Unfortunately, some enthusiastic exercise designers – particu- larly external advisors who are likely looking for follow-on work – can sometimes fall into the trap of designing no-win scenarios, or scenarios that are intended to elicit “right” and “wrong” answers, rather than facilitate thoughtful discussion. This risk is particularly acute if board members are observing the exercises. There is nothing that a C-suite dis- likes more than looking or feeling unprepared in front of their board. Exercises need to be tailored to meet organisations where they are in their cybersecurity maturity journey. When designing an organisation’s first ever cyber tabletop exercise, this should not include a parade of horribles in the injects that leaves
181 CHAMBERS.COM
Powered by FlippingBook