From Eye Rolls to Engagement: How One Organization Got Leadership to Buy Into Incident Response Tabletop Exercises 

From Eye Rolls to Engagement: How One Organization Got Leadership to Buy Into Incident Response Tabletop Exercises 

Picture this: a cybersecurity lead walks into a leadership meeting to pitch a tabletop exercise. Before the presentation even begins, a few executives exchange glances. Someone sighs. 

For many institutions, cybersecurity still feels like an IT problem—something technical, reactive, and far removed from day-to-day operations. And when leaders are pressed for time, asking them to participate in a simulated crisis can feel like a stretch. 

But waiting until a real incident strikes to define roles and responsibilities is a recipe for chaos. At that point, it’s already too late. 

The shift begins with a mindset change—from “this is just another security exercise” to “this is a critical part of business resilience.” 

The Turning Point: Reframing the Conversation 

Instead of opening with metrics or risk scores, the security team began with a relatable story. A nearby organization—similar in size and industry—had suffered a ransomware attack. Operations halted for four days. Payroll was delayed. Sensitive emails were leaked. And the CEO had to answer a painful question in front of reporters: 

“Why weren’t you prepared?” 

That scenario sparked immediate engagement. Then came a direct question to the room: 
“If this happened here, what would your role be in the first 60 minutes?” 

The silence that followed made the answer clear roles—roles weren’t well understood. A few shrugged. One person said, “Call IT?” 

That moment opened the door to reframe the exercise—not as a technical drill, but as an organizational readiness test. 

Step One: Find a Champion 

Momentum began building during a conversation with the organization’s COO. With a background in logistics and experience navigating operational disruptions, the concept of scenario planning resonated. 

Once “business continuity” entered the discussion, the value clicked. 

At the next leadership meeting, before the idea could even be formally introduced, the COO spoke up: 
“We need to do this. If we’re not rehearsing how we’d respond, we’re gambling with our operations.” 

That executive buy-in made all the difference. 

Step Two: Make It Real—Not Ridiculous 

The scenario chosen was simple and plausible: a phishing email leading to compromised credentials and suspicious financial activity. 

Each department had a clear, tangible role: 

• Finance investigated and responded to potential wire fraud 

• HR prepared to handle employee data exposure 

• Legal began drafting regulatory notifications 

• Communications was tasked with crafting a public statement under pressure 

Now the exercise wasn’t abstract. It was relevant. Every participant could see how their role mattered. 

Step Three: Create a No-Blame Zone 

Clear ground rules were set: 

• No shaming 

• No finger-pointing 

• All perspectives welcomed 

• The goal: learning, not performance 

That foundation created space for honest dialogue. 

At one point, a VP asked: 
“If legal needs 72 hours to review a disclosure and IT needs 24 to confirm the breach… aren’t we already too late?” 

That sparked a valuable conversation, which led to revised escalation timelines and clarified responsibilities. 

Step Four: Show the ROI 

After the exercise, leadership wasn’t just handed a summary—they received a strategic debrief: 

• 5 process gaps identified 

• 3 roles clarified 

• 2 automation opportunities uncovered 

• 1 measurable improvement in cross-team trust 

The takeaway wasn’t theoretical. It was actionable. Leadership didn’t just see value—they saw a roadmap. 

The Culture Shift 

Several months later, something unexpected happened. 

A department director reached out with a suggestion: 
“Could we run a scenario that includes a cloud outage next time?” 

The tone had shifted. Tabletop exercises were no longer seen as an obligation. They had become a way to strengthen operations, test readiness, and build confidence. 

Your Move: Making Incident Response a Strategic Conversation 

Organizations looking to gain leadership buy-in for incident response exercises can learn from this approach: 

• Frame the conversation around business risk—not just cybersecurity 

• Engage a respected champion who understands operational impact 

• Design scenarios that are realistic and relevant to daily functions 

• Foster a learning environment instead of a performance review 

• Translate each exercise into real-world improvements 

What began as a reluctant conversation evolved into one of the most effective strategies for unifying leadership, clarifying roles, and strengthening resilience. 

Because hope isn’t a strategy. Practice is. 

Final Thoughts: Make Tabletop Exercises Part of the Culture 

When designed with intention and relevance, tabletop exercises don’t feel like interruptions. They become part of the organization’s rhythm—an essential tool for building trust and readiness. 

And when that shift happens, the questions change—from “Do we really need this?” to: 
“When’s the next one?” 

That’s the turning point—from resistance to resilience.