Cyber War Games

Listen to article

How to use tabletop exercises to generate the right questions to ask of your cyber team.

Business leaders consistently rank cybersecurity as one of their top concerns. For top companies, cyber capabilities have to be considered a competitive differentiator. They have moved past being a cost center and are no longer just a strategic business enabler. The risks of a cybersecurity breach in lost business revenue, customer dissatisfaction, lost intellectual property and brand reputation mean cybersecurity will continue to be an important board agenda item.

In the 2022 NACD Public Company Board Practices and Oversight Survey, board members highlighted consistent challenges with cybersecurity governance. These include reviewing critical data assets, cyber threats, response plans in case of a breach and communications following a breach. The ability to ask the right questions in these areas remains critical to effective board governance.


The Value of Tabletop Exercises

The tabletop exercise used by military organizations is a valuable framework for board members to shape questions on cybersecurity posture for a company’s leadership team. Military organizations use tabletop exercises to familiarize senior leaders with current security gaps and mitigations and to inform future resource application decisions.

Many think of a tabletop exercise as the senior leadership team literally sitting around a table discussing scenarios. While that is a part of the process, preparation is required to maximize the value of invested time. A typical tabletop exercise has several phases.

  • Baseline. Ensure a common understanding of the company’s current cybersecurity posture, recovery procedures and partnerships.
  • Threats. Review internal and external cyber threats to the organization, their capabilities and expressed intentions.
  • Scenario review. Understand how the most likely and most dangerous scenarios could play out for the company.  
  • Risk discussion. Given what is learned in previous phases, come to an understanding of the level of acceptable risk for the organization, and how that compares to the current state.
  • Follow-up on actions. Document any action items to be addressed moving forward.


Know the Organizational Baseline

Military organizations will typically use a series of shorter meetings, referred to as “road to war” briefings, leading up to a longer tabletop session to create a common understanding of the organization’s baseline and review threats. For cyber scenarios, this includes validating that the organization has prioritized systems, applications and data (based on business continuity requirements and expected costs of a breach). Asking questions about prioritization typically brings to light which parts of the organization were, or were not, involved in the prioritization. Usually, the technical parts of the organization will prioritize enterprise capabilities, while business units look at their stove-piped functional systems and data. The truth will include aspects of both. Some risk may be immediate when a breach happens, while other risks may elevate the longer a period of downtime or inaccessibility goes on. It is important to ruthlessly prioritize. If everything is the top priority, then nothing is!

Understanding the data that is most valuable — whether intellectual property, private customer information, research data or a combination of these — focuses exercise efforts. Additionally, the protection of the top systems, applications and data stores should include people, technology and process perspectives. There should be common understanding of the prioritized data, the protections put in place, and what risk is driven by protection gaps and threats. Know who is responsible for carrying that risk.

This phase includes a review of the current breach recovery and resiliency procedures. Typically, those not directly involved in the resiliency and recovery process make assumptions about it that may not be accurate and may base their planning on flawed assumptions. Ensuring common assumptions and planning factors for recovery will eliminate erroneous, disjointed efforts. As part of the review, a robust discussion of current partnerships is useful. The discussion should include relationships with cybersecurity companies, contract status and relationships with law enforcement.  

Directors can ask the following questions using this framework:

  • What is the process used to prioritize business systems, applications and data?
  • Who is involved in the prioritization?
  • What is the posture of the most critical systems, applications and data? How are they protected (technology, people, process)? Where are they backed up?
  • How often is the prioritization list revisited?
  • Where does the cybersecurity posture carry the most risk? How is that translated into strategic business risk for the company and customers?


Assess Threats

Once an organization understands its own critical cyber capabilities and security posture, assessing threats becomes much less daunting.  The “road to war” in military exercises would next include a discussion of both threat actors and situations that may cause them to act, or to escalate action. This includes world events, geopolitical factors or economic situations that would cause threat actors to escalate malicious behavior. Understanding the bad actors that may have both an interest in your organization and the capability to apply toward a breach can be insightful, but difficult to narrow.  Partnering with cyber intelligence organizations, both public and private, can at least add some context.  

Comparing the threat situation against the security posture of prioritized resources will prove enlightening in terms of the risk being carried by the organization daily. It will also be valuable in highlighting gaps. Those gaps can later be prioritized in action plans to close them over time, as resourcing and risk appetite dictates.  

Directors can ask the following questions using this framework:

  • What are the world geopolitical or economic events that might heighten the threat of a cybersecurity breach?
  • How can cybersecurity posture be adjusted to mitigate risks, both daily and over time?
  • How mature are efforts to implement zero-trust principles?
  • How high-profile a target is the company? Is there some aspect of business operations, the customer base or marketing that impacts the target profile?
  • Are there current partnerships that can quickly be exercised when a breach happens — with cybersecurity companies, law enforcement or intelligence agencies if appropriate?
  • Who is responsible for exercising those partnerships? What is the board’s role?


Review Scenarios

The scenario-review phase is what most people think of as the core of the tabletop exercise. It drives a serious discussion on the information gleaned in earlier phases and applies that to stimulate understanding among leaders. Military organizations will typically focus on the “most likely” scenario and the “most dangerous” scenario to understand the range of possible challenges and outcomes.  Company leadership should start with how the organization reacts to indications of compromise and walk through the process of mitigating the breach, operating through any degradation and recovering from the incident. The board should focus on ensuring the review has been done in sufficient detail and follow up on tasks assigned to close gaps.  

The last phase culminates in a discussion of risk, documenting capability gaps based on the current status of cybersecurity and reviewing the “most likely” and “most dangerous” scenarios. Understanding how gaps relate to the risk appetite of the organization and the cost and time to mitigate them should drive discussion on resourcing further mitigations. Mitigations may include process changes and people investments, not just technology insertion. Many overlook talent management at this stage. A robust discussion on the cyber skills the organization has, those it needs and those it should incentivize could prove strategic.


Weigh the Risks

Finally, the team should review how often a tabletop exercise should be run and the weaknesses of the scenarios that were discussed to ensure that false conclusions don’t drive actions. Document the portions of the exercise that could be automated — or should be practiced for real — via penetration testing or other exercises, rather than via tabletop.

Directors can ask the following questions using this framework:

  • What would trigger a decision to adjust cybersecurity posture? What is the role of the board during times of heightened threat?
  • What are the cost estimates — in time and money — to mitigate and recover from the “most likely” and “most dangerous” breach scenarios? Does risk elevate or decline over time?
  • What preplanned triggers for communication are in place – with law enforcement, partner organizations, the board, investors and the public? Are those communications templated in order to facilitate faster information-sharing?
  • Which gaps highlighted have action plans to mitigate them? Who is responsible for managing those efforts? How often will the board be updated?

Even if the cyber tabletop exercise is not a construct used by a company, understanding the process can be a very useful framework for board members to shape the right questions for company leaders. Asking the right questions can get to the heart of whether the most likely and most dangerous risks are being addressed and inform future resources application. If nothing else, it can help generate better understanding of risk scenarios and mitigations for board members.

Rob Lyman is a retired brigadier general of the U.S. Air Force, with almost three decades of experience in cyberspace operations, logistics and special operations. He served as assistant deputy chief of staff of the Air Force’s cyber effects operations.

Other related articles