Byte-size Briefing: Thinking Clearly Under Pressure - The Case for Tabletop Exercices

Byte-size Briefing by The Final Step in Security, Security First Mindset on Jul 7, 2026

The Case for Tabletop Exercises

 

Tabletop Cybersecurity Exercise with Diverse Participants

 

There’s a principle we come back to often: a control is only as good as the last time you proved it worked.

In a real incident, what matters is how a plan holds up in practice, not how it looks on paper.

That’s why tabletop exercises matter and why we have been running them for ourselves and for our clients.

What is a tabletop exercise?

The UK National Cyber Security Centre (NCSC) describes these as group discussion exercises designed to explore how an organisation would respond to an unfolding cyber incident.

It’s a “rehearsal”:

    • No systems are taken offline
    • No disruption to the business
    • No expectation of perfect answers

Instead, the focus is on:

    • Decision-making
    • Roles and responsibilities
    • Communication and coordination

Who takes part?

They are not just for the IT department, effective tabletop exercises are cross-functional.

Typical participants include:

    • Leadership / Board (decision-making authority)
    • IT / Security (technical response)
    • Operations (business continuity)
    • Legal & Compliance (regulatory obligations)
    • Communications / Marketing (external messaging)
    • HR (internal communication, disciplinary issues)
    • External partners (optional: insurers, PR, legal advisors)

This reflects the reality that cyber incidents are business events, not just IT events.

 

What makes for a good exercise?

While every exercise is tailored, most include three core elements:

1. A realistic scenario

Such as a ransomware attack.

2. Facilitated discussion

A moderator guides the discussion around issues such as “the attacker is demanding payment within 24 hours”

3. A structured debrief

This is where most of the value is created. Exercises typically produce:

    • A list of gaps and risks
    • Clarified ownership and decision rights
    • Improvements to plans, contacts, and processes
    • Prioritised actions.

 

Why do organisations run tabletop exercises?

Because plans rarely survive first contact with reality, tabletop exercises are designed to:

  • Validate what you think you know.
    Stress-test incident response and business continuity plans in a safe environment.
  • Identify hidden gaps.
    Unclear responsibilities, missing contacts, outdated documentation.
  • Improve coordination.
    Cyber incidents require multiple teams to act together under pressure.
  • Build “muscle memory”.
    Teams that rehearse respond faster and more confidently.
  • Meet regulatory and insurer expectations.
  • Frameworks such as NIST and ISO 27001 require regular testing of response plans.

 

What do organisations actually learn?

A tabletop exercise makes you more resilient because it forces you to map your current reality, not the one you previously planned for. It is often surprising how much has changed that degrades your ability to keep working in a crisis. They are an important part of continuous improvement.

As CISA puts it, these exercises help organisations initiate discussions about their ability to address real threat scenarios and improve response, recovery, and coordination.

You gain insight into key issues. For example:

    • “Who has the authority to shut systems down”
    • “Agree on when we would pay a ransom”

 

What changes as a result?

A well-run exercise should lead to practical, measurable improvements, such as:

    • Updated incident response and business continuity plans
    • Clear ownership of key decisions
    • Improved communication protocols (internal + external)
    • Validated backup and recovery assumptions
    • Stronger alignment between IT, leadership and operations
    • Better readiness for regulators, insurers and clients

Ultimately, they turn a theoretical plan into something closer to operational capability.

 

Roles and responsibilities

One of the most common benefits is clarifying who does what. Who communicates with clients? Who calls the insurer? Who has the authority to shut down systems? Getting this agreed helps keep your thinking clear when you are under the most pressure.

 

The questions worth asking yourself today:

• If ransomware hit your systems tonight, could you recover without paying?

• Do your suppliers’ security standards meet your own?

• Is your cyber insurance coverage still appropriate for how you work now?

• Does your team know what to do — and who to call — in the first hour?

 

If the answer to any of those is “I’m not sure,” it might be time to run the exercise. We can help you get started.

We run these exercises ourselves. A security-first mindset and honest risk assessment are part of how TFS has operated for 39 years — and how we intend to operate for the next 39. It’s not just something we recommend to clients. It’s something we practice.

 

We’re happy to facilitate a session for your leadership team too. It doesn’t take long, and the clarity it creates is worth far more than the time it takes.

Get in touch to find out more

Subscribe to our Bulletins





Free Download

Is IT a bottleneck to your company’s growth?

Discover how small business IT support can be a strong ally in making you more productive and competitive.

Download Ebook

bottlenecks