Tabletop Simulations: Where Theory Meets Reality

Tabletop Simulations: Where Theory Meets Reality

/in

On paper, the vast majority of crisis plans look reasonable, actionable and complete. Once the rubber hits the road, however, chaos emerges quickly.

This is where tabletop simulations come into play. Tabletops Exercises (TTX) simulate real-world crises in a controlled environment. They introduce time pressure, incomplete information, and uncertainty, forcing teams to adapt and revealing whether plans hold up under stress.

Over the years we have facilitated many tabletop exercises, ranging from small teams of IT teams to full executive crisis staff. The scenarios vary, but the findings are remarkably consistent. Here are some of the most important learnings from the tabletop exercises and real incidents about what does and does not work.

Preparation Determines Survival

Will your warehouse sit empty because orders can’t be processed, or overflow because production is halted but shipments keep arriving? An incident is not the right time to define basic procedures or to fight over responsibilities and priorities. Having the most important parts prepared is key.

What we learned

  • Critical paths aren’t always obvious: The critical paths should be known and priorities aligned with management. Keep in mind that the critical path varies based on time. A system paying out wages might be critical towards the end of the month, but irrelevant in the beginning.
  • Offline documentation is non-negotiable: Having a plan is of no use if they are only on an IT system that is no longer available. Important documentation must remain accessible during an incident. This includes response plans, contact lists, emergency access information, external partner contacts, and preapproved communication templates.

An Incident Is a Business Problem, Not an Cyber Problem

Before one simulation, I overheard one participant remark that this will be easy, as ransomware is an IT problem. Once the TTX started, they quickly changed their mind. Incidents, and especially ransomware incidents, are mostly a business problem. IT is certainly involved, but it rarely is the sole solution.

What we learned

  • IT is only one part of the crisis: IT is most often one of the simpler problems. IT administrators can start working right away to get the systems up and running again. The rest of the company? There it is usually very fuzzy.
  • Every department needs a plan: It is not just IT that needs a plan. A major incident stretches all departments thin. Coordinating a response between everyone will make for an uncoordinated response.

Communication Is Harder Than Expected

When email, phones, websites, and chat fail, communication collapses.  How to reach out to external stakeholders and partners? How to remind employees where to forward press inquiries? No news will not be good news… Communication is hard at the best of times. When all the IT systems are down, communication is downright painful.

What we learned

  • Backup channels are essential: Have alternate channels that still work, even during an incident. This might be a service that allows sending SMS to employees’ private mobiles. Or a group chat in an external chat application. Repurpose social media profiles to address external stakeholders.
  • Proactive communication is critical: With no information, information tends to just coalesce out of rumors. Proactive communication is crucial during an incident.

Without Structure, Response Grinds to a Halt

First time tabletop simulations often turn into reactive role play. Participants respond to each new development as it appears, driven by the moment rather than by a commonly agreed plan. One or two voices dominating the discussion. Other topics fall on the wayside. And when we ask them for a summary of the current state, participants often cannot even tell how long the incident has been ongoing. Structuring the information flow and the meetings is one of the key parts of a good incident response plan. A major incident will still leave enough room for chaos.

What we learned

  • Fixed status meetings prevent information overload: A regular status meeting should be a fixed part of any plan. Otherwise, information will flow everywhere, except where it is needed and key personnel will be bogged down by answering the same question to different stakeholders over and over again.
  • Assign a dedicated role to track decisions and tasks: Someone should be responsible for documenting the situation, open tasks, and decisions taken. They should have no other obligations. They will keep the chaos at bay.
  • Status meetings are for decisions, not debates: The status meetings are not discussion meetings; they are decision meetings. Once a discussion starts, stop the discussion. Instead, assign someone to prepare three options for the next meeting.
  • Crisis management is not a collaborative effort: Instead, crisis management is directive and decision driven, unlike the consensus driven day to day work most teams are used to. For many participants, this is arguably one of the hardest aspects to learn during a tabletop exercise.

Ambiguity Kills Momentum

One of the more dangerous dynamics we see during tabletop simulation is when no one seems to be in charge, and everyone wants to be heard. I am reminded of the time when the participants spent 10 minutes on the very “critical” question of “Is this a medium or a high incident?” Which is understandable, as humans we like to discuss things we can control. But we need to make progress on the parts we do not control, or do not know how to solve. A crisis is no time for participative leadership. A crisis needs quick, decisive decisions. Sometimes imperfect decisions, but an imperfect decision is still better than no decision at all.

What we learned

  • The CEO should be in charge but not be in the lead: Putting the CEO in charge is a good idea. However, the CEO should not lead the crisis staff. This is best delegated to a Chief of Staff that makes sure that the crisis group meets regularly, that the required information is delivered and to gatekeep access to the CEO. The CEO will still have more than enough on their plate.
  • Predefined roles eliminate ambiguity: The roles in the crisis group should be clear, and everyone should know what their role is. If someone has no role, they should not be part of the crisis group. The roles must cover all aspects of the business.

Human Factors Matter

Incidents don’t pause life. Employees still have families, obligations, and personal stress outside work. For many participants, this will be one of the most stressful days of their career.

What we learned

  • Direct communication replaces politeness:
    Crisis situations change how people communicate. There will be fewer polite exchanges such as “would you mind”, “if you have time”, or “thank you”. Communication becomes short, direct, and task focused. This is normal and should not be interpreted as disrespect.
  • Watch out for your colleagues: Leaders must remain aware of the human limits of their teams. Fatigue, stress, and imperfect decisions are unavoidable during a major incident. Plans should therefore allow for rest, handovers, and recovery.
  • Recognition comes later: Recognition rarely happens in the middle of a crisis. The priority is stabilizing the situation. Strong leadership acknowledges the effort afterwards, once the incident has been resolved and the organization can reflect on the response.

The Bottom Line

Tabletop simulations don’t just test your plan. They test your people, processes and challenge your hidden assumptions. The goal isn’t to succeed. It’s failing safely in a controlled environment.

Are you wondering how your organization really responds under pressure? A tabletop exercise is the safest place to discover uncomfortable truths before a real incident forces them into the open.

Compass Security Blog – ​Read More