Incident Response Theater: Are We Just Playing the Role of Preparedness?

The curtain rises. The scene: a quiet sunny day on the teller line.

Teller 1: “It is a beautiful day today! I could not believe that the temperature was s….”

Computer alert sounds.

Teller 2: (Interrupting) “That’s strange! I just got a message on my screen that my computer might have a virus!”

Cue suspenseful music.

All: “We must assemble the Cyber Response Team!”

Incident response tabletop exercises often feel like we are performing a play. The script is written to be easily understood and acted out. Everyone knows their lines. We know that the plot will progress and that in the end, safety and soundness will prevail. But in real life, incidents are not scripted…they are chaos! So, we need to ask ourselves: Are our tabletop exercises built for performance or for reality? Are they built for compliance or chaos?

While the purpose of tabletop exercises is to build organizational muscle memory, repeating the same exercises detracts from the emotional realism of a true incident. We start checking boxes instead of learning to work with one another in crisis mode. We perform these exercises so well that we become overconfident in our ability to deliver in a real incident.

Why do we do this? We want the results of our tabletop exercises to make us look good to our leaders and to Examiners. Because of this, we are fearful of showing any adversarial tendencies or indecision during the exercise, so we avoid any surprise elements. We also tend to leave out lawyers, public relations, or other ancillary departments that might challenge the script.

Often, this problem is not realized until an actual event highlights our lack of true preparation. It may seem simple during an exercise for the CEO to make the call to restore data to the previous night’s backups, but during an actual incident, the gravity of customers losing a day of transactions seems to loom much larger, and the decision is much harder to make. And what happens if the CEO is on a flight and is unavailable when the decision needs to be made? And the legal department disagrees with the decision that the team wants to make? Incidents always seem to occur at the worst possible time!

Tabletop exercises should not be plays. We need to keep them real. We need to be introducing stress and chaos into the exercise. Here are some things to consider when making the exercises more realistic:

• Introduce conflicting priorities and pressure to the exercise. Create friction, because it will definitely be present during an actual event. This will result in a better understanding of organizational dynamics while under stress.
• Announce at the start of the exercise that key decision makers will need to not participate in discussions because they are assumed to be not present. This will force the team to identify alternative chains of command prior to an actual event.
• Invite others to the exercise. Consider inviting board members, lawyers, cyber-insurance providers, etc. This will add feedback to the exercise that can be used dynamically during an actual incident to help make decisions.
• Make the goal of the exercise to identify action items instead of to demonstrate that the plan was executed flawlessly.

It is time to start training for chaos in our incident response exercises. Begin today to work on ways to make tabletop exercises more realistic and less like a school play!

If you need assistance in performing incident response tabletop exercises, we can help! Just contact us at support@bedelsecurity.com to get started!