The Truth Sharpening the Blade: Why Incident Response Tabletop Exercises Are Non-Negotiable  

The Truth Sharpening the Blade: Why Incident Response Tabletop Exercises Are Non-Negotiable  

I stood in the back of the conference room at a recent security and privacy conference. The keynote speaker was a seasoned cybersecurity expert with experience leading and managing some of the most significant cyber incidents in our history. A question was posed to the audience of approximately 350 security professionals, “How many of you in this room have a Cyber Incident Response Plan?” Not surprisingly, nearly every hand went up. Next, they asked, “How many of you have tested your plan in the last 12 months?” I could count the number of responses on one hand.   

Just shy of a year ago in a similar setting with different participants, these same questions were asked. The responses? Nearly identical.  

According to S&P Global,  

• Less than ½ (42.7%) of companies across all industries, including education, have a cybersecurity response plan and test it at least annually.  

• One in five companies do not have a plan or procedure in place at all.  

• The remaining 1/3 of companies have plans in place but test them less often than annually. 

Surely compliance requires you to have a written and tested Incident Response Plan? Although many compliance standards like SOC2, CMMC and HIPAA require controls for cyber incident preparedness, there are still gaping weaknesses across many organizations. A recent HIPAA journal study found that: 

• 37% of healthcare organizations do not have a security incident response plan in place, despite it being a requirement of HIPAA. 

• 1 in 3 healthcare organizations have experienced a data breach in the past 3 years, and 42% of respondents said they had experienced a ransomware attack. Almost half (48%) of attacks impacted customer data and 1 in 4 attacks impacted patient care.   

Why aren’t more organizations prioritizing development and validation of an incident response plan?  

If compliance isn’t a driving motivator, what else is contributing to the lack of preparation? Like many of these statistics, there is no single underlying cause. If there was, we’d all fix it and move on. Here’s what I heard when talking to nearly a hundred different security leaders in the past 12 months:   

Perception of Value: 

• Some organizations view incident response plans as a ‘check the box’ document rather than a crucial component of a proactive security posture. 

Lack of Executive Support: 

• Leadership may not fully grasp the importance of a cyber incident response plan, their role in it, or the value of testing one, leading to a lack of attention and prioritization.

Resource Constraints: 

• Budget limitations, lack of experienced personnel, and competing priorities can lead to incident response plans being neglected or under-resourced, including testing.

Focus on Prevention: 

• Some organizations focus on preventing incidents rather than preparing for them, leading to a lack of focus on an incident response strategy.  

Complexity and Time Commitment: 

• Developing and testing a comprehensive incident response plan can seem time-consuming and complex, leading to lack of focus and prioritization.  

Underestimation of Risk: 

• Organizations may underestimate the potential impact of a cyber incident, leading to a lack of urgency in developing and testing their plan.  

Lack of Integration: 

• Incident response plans may not be integrated with other critical response programs (eg. physical security, emergency response), leading to gaps in coverage and coordination.  

Outdated Plans: 

• Organizations may not keep their incident response plans up to date with the evolving environment, staffing changes, and threats, making them ineffective when needed. 

The actual value of creating and maintaining a tested incident response plan: 

Would a fire crew run into a burning building without testing their protocols, strategy and communication skills? As the daughter of a career firefighter, I can promise you, they do not. Think of a tabletop exercise as a fire drill for your incident response team. The most opportunistic time to validate your assumptions, strategy and responsibilities is during a simulated crisis in a controlled environment without the pressure of a live attack. Identifying weaknesses and opportunities is not about pointing fingers or exposing flaws; it's about collaborative learning and continuous improvement. Here’s how to maximize your time and effort to get the best value out of your investment: 

• One of the most common pitfalls people run into is testing the plan using a non-applicable or generic scenario. While testing of any kind is better than no testing, make sure the scenario you’re using to test your plan is relevant to your industry and organization.  

• Establishing clear roles and responsibilities is paramount to the success and duration of a response. Be sure to ask yourself: are the roles and responsibilities clearly defined? Does everyone understand their part in the response? Are our communication channels reliable? How do you communicate with one another when your typical communication channels are unavailable? Who is coordinating the response?  

• A tabletop exercise exposes areas where teams may lack the necessary knowledge or skills. You may discover that your team needs advanced techniques in threat detection or that your understanding of legal obligations regarding data breaches is insufficient. Uncovering these areas proactively allows you to address these gaps through targeted training and development. 

• Real-world incidents are chaotic and stressful. A tabletop exercise provides a safe space to practice making critical decisions under pressure, without the fear of real-world consequences. You can analyze our decision-making processes, identify potential biases, and develop strategies for making informed and timely choices. 

• How we communicate with stakeholders, including executives, customers, and the public, can significantly impact the outcome of an incident. Tabletops allow us to manage expectations and practice crafting clear and concise messages while maintaining trust and preserving reputation. 

• As the saying goes, ‘pay now or pay later’, either way you’re going to pay. By identifying and addressing weaknesses in your incident response plans, you can mitigate the potential impact of a real-world attack, saving time, money, and reputation. 

In it for the long run 

There are real financial impacts of not prioritizing a validated incident response plan. In IBM's latest Cost of a Breach analysis, organizations with high levels of IR planning and testing saved $1.49M on average with a shortened time to contain by 62 days versus those without. Additionally, insurance providers look at whether you have one when deciding whether to award your cyber policy and when calculating your premiums. Those without a plan pay an average of 58% more to clean up after breaches. 

Let's start prioritizing proactive preparation, making incident response planning and testing a regular and crucial part of your security strategy. Your organization and your peace of mind depend on it. Don't wait for perfection, just get started.  

Affordable, Actionable Cybersecurity 

At NYSERNet, we understand the challenges that nonprofits, campuses, and research institutions face. Our Cyber Resiliency Tabletop Engagements are: 

• Tailored to your organization’s unique needs. We don’t use a one-size-fits-all approach.  

• Designed for efficiency. We maximize value and minimize disruptions to your time and operations. 

• Cost-effective. We focus on right-sized effort for high-impact outcomes without unnecessary expenses. 

Don’t wait for a cyber incident to prove the importance of Incident Response Tabletop Exercises. Get ahead of threats today and let us help you improve your cyber resiliency.  

Emilyann Fogarty 

Chief Information Security Officer