There’s a principle we come back to often: a control is only as good as the last time you proved it worked.
In a real incident, what matters is how a plan holds up in practice, not how it looks on paper.
That’s why tabletop exercises matter and why we have been running them for ourselves and for our clients.
The UK National Cyber Security Centre (NCSC) describes these as group discussion exercises designed to explore how an organisation would respond to an unfolding cyber incident.
It’s a “rehearsal”:
Instead, the focus is on:
Who takes part?
They are not just for the IT department, effective tabletop exercises are cross-functional.
Typical participants include:
This reflects the reality that cyber incidents are business events, not just IT events.
While every exercise is tailored, most include three core elements:
1. A realistic scenario
Such as a ransomware attack.
2. Facilitated discussion
A moderator guides the discussion around issues such as “the attacker is demanding payment within 24 hours”
3. A structured debrief
This is where most of the value is created. Exercises typically produce:
Because plans rarely survive first contact with reality, tabletop exercises are designed to:
A tabletop exercise makes you more resilient because it forces you to map your current reality, not the one you previously planned for. It is often surprising how much has changed that degrades your ability to keep working in a crisis. They are an important part of continuous improvement.
As CISA puts it, these exercises help organisations initiate discussions about their ability to address real threat scenarios and improve response, recovery, and coordination.
You gain insight into key issues. For example:
A well-run exercise should lead to practical, measurable improvements, such as:
Ultimately, they turn a theoretical plan into something closer to operational capability.
One of the most common benefits is clarifying who does what. Who communicates with clients? Who calls the insurer? Who has the authority to shut down systems? Getting this agreed helps keep your thinking clear when you are under the most pressure.
|
The questions worth asking yourself today: • If ransomware hit your systems tonight, could you recover without paying? • Do your suppliers’ security standards meet your own? • Is your cyber insurance coverage still appropriate for how you work now? • Does your team know what to do — and who to call — in the first hour? |
If the answer to any of those is “I’m not sure,” it might be time to run the exercise. We can help you get started.
We run these exercises ourselves. A security-first mindset and honest risk assessment are part of how TFS has operated for 39 years — and how we intend to operate for the next 39. It’s not just something we recommend to clients. It’s something we practice.
We’re happy to facilitate a session for your leadership team too. It doesn’t take long, and the clarity it creates is worth far more than the time it takes.