Whether you're the U.S. Army, the New England Patriots, or the security operations team for a business, one thing is certain: practice is a critical predictor of success. You might think, "We handle hundreds of security events daily—surely that sharpens our team’s skills." But here's the uncomfortable truth: the daily grind of handling hundreds of security events may not sharpen your team's skills as effectively as you think. It might be reinforcing bad habits just as easily as good ones.
Why the Status Quo Isn't Enough
Relying on day-to-day operations to "prepare" your team can create blind spots. Poor performance can become ingrained without deliberate intervention and structured learning opportunities. This is where tabletop exercises (TTX) come in. A TTX is a vital tool for improving team performance by identifying weaknesses in plans, processes, and coordination—before a crisis strikes.
For example, if your security operations team consistently struggles with incident escalation, a targeted TTX can help them refine their approach by focusing on the critical data and actions required for timely and effective escalation. Without this structured exercise, your team may continue operating with gaps that could amplify a real-world incident's impact.
Start Small, But Start Now
A TTX doesn't need to start as a complex, organization-wide effort. Begin small, with focused exercises involving a single team. These sessions can be run informally, such as during lunch-and-learns, and repeated as needed. But don't stop there. Real-world incidents demand complex, cross-functional responses. To be truly prepared, your organization must test its entire incident response process—across all relevant teams—at least once a year. Anything less risks leaving critical gaps unnoticed until it's too late.
Practice Makes Perfect—Only if You Actually Practice
Let's be honest: when was the last time your incident response plan was really tested? Was it during an actual ransomware attack? If so, you've already lost valuable time.
Consider the broader implications:
- Does your legal team understand its role during a cyber incident?
- Is your corporate communications team prepared to address public concerns about operational disruptions?
- Does everyone know when to notify suppliers, customers, or regulators?
Without structured TTXs, these critical questions remain unanswered, and untested processes can spiral into chaos when the pressure is on. A well-designed TTX ensures every team member knows their role and can act decisively when it counts. It also uncovers gaps and weaknesses that can be addressed before a crisis occurs.
Departmental to Organizational
TTXs should initially be conducted at the department level. Once departments are adept, exercises can scale up, eventually involving senior management. This progression provides leadership with opportunities to address high-stakes questions such as:
- Should we pay the ransom?
- When should we notify suppliers and customers?
- When are we required to report the incident to regulators?
- Does this incident fall under our liability insurance coverage?
The SCYTHE Next-Gen Exercise
A new frontier in tabletop exercises is the SCYTHE Next-Gen Exercise, which integrates the benefits of a purple team exercise to enhance the realism of inputs and outputs in the TTX process. By merging the technical rigor of a purple team—where red and blue teams collaborate to simulate realistic attacks and defenses—with the procedural focus of a traditional TTX, this approach creates a holistic testing environment. The SCYTHE Next-Gen Exercise ensures that both technical and procedural elements are thoroughly validated, bridging the gap between detection and response to drive continuous improvement across teams.
The Stakes Are Too High to Ignore
A robust TTX program isn't just about preparing for cyber incidents—it's about building a culture of readiness and resilience. Organizations that neglect structured exercises risk slower response times, ineffective communication, and avoidable financial and reputational damage during a crisis.
Don't wait for the next cyber incident to reveal your organization's weaknesses. Invest in regular tabletop and purple team exercises to uncover gaps, drive actionable insights, and empower your teams to act decisively when it matters most. When seconds count, preparation makes all the difference.
Now is the time to prioritize readiness. Your future self will thank you.
🦄 You can't defend, what you don't test 🦄
