You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we'll explore the critical role that tabletop exercises

play when preparing for cyber incidents.

Our guest, Mike Sailor, CEO of Black Swan Security, shares his expertise

on how to effectively plan, execute, and learn from these activities.

We discussed the key components of a successful tabletop exercise,

common pitfalls, and why regular practice is essential for building

organizational resilience.

He also has a few great stories from exercises that he's conducted.

I think you'll find this episode quite useful.

I.

And enjoyable.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that we had no backups of the production

database that we just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the show.

If I could ask you to take just a quick second and press, subscribe

or follow so that you'll always get this content, that would be great.

I am w Curtis.

What?

Oh, yes,

us a comment.

yes.

Leave us a comment.

We love comments.

Um, I'm w Curtis Presson, AKA, Mr.

Backup with me, my vicarious movie watcher Prasanna Malaiyandi.

How's it going?

Prasanna.

I am good Curtis.

I, yeah, I would say I am a vicarious movie watcher, but sometimes I do

watch movies, but they're just like the Bollywood and Hollywood movies, not

Would, would, would you agree that you watch fewer movies than me?

Um, I think that's a statement for the entire world that would be factually

I.

Well, just because I watched three movies yesterday, two at two at the, uh,

at the theaters and, uh, one at home.

Uh, yeah, that's totally fine.

That's normal.

And because I watched Deadpool twice this weekend.

See, I have never met someone who falls asleep at movies so much

Okay, we're not talking about that.

We're not talking about that.

The fact that I had to go back to see Deadpool twice for two reasons.

One that I really enjoyed it the first time and second to figure out what I

missed when I dozed off in the middle.

Dosed off and you didn't even realize you dosed off either.

yeah, I didn't even realize I dozed off till I was watching it the second time

and going, uh, I don't remember this part.

Uh, it makes a lot more sense now.

Well, we should probably get to our actual topic here.

Uh, we once again have the CEO of Black Swan Security.

Mike Sailor.

How's it going, Mike?

It's going well guys.

How are.

Mike, I wanted to talk, uh, you know, we're, you know, in our continuing series

here on, uh, basically preparing for, you know, defeating ransomware, uh.

You know, being able to respond to it effectively.

And one of the topics that comes up a lot, it came up in our last recording, is

this idea of a, uh, a tabletop exercise.

And we, we talk a lot about that a lot, and I know that.

Back when, at my previous employer, when we started showing people what an

actual tabletop exercise looks like, they got really excited because I don't

think that a lot of people do this.

Um, I mean, when, when, when your company's brought in, I'm assuming that

these, well, well, lemme ask you this.

What percentage of the time are you brought in because there's

already been a cybersecurity event.

It is more often than people call us to do a tabletop.

Say that again.

We respond to incidents for

Right,

on their worst day,

right.

in helping them through tabletop exercises for their worst

Okay.

Right.

So you're normally, you're called for the worst day.

You, you wish you were called.

For the practice day.

Um,

Yeah.

and I, I, I wonder just Prasanna, what do you think, like, like what

percentage of companies actually do a, a tabletop exercise like this?

So I.

I am hoping, and I'm being gonna be, gonna be optimistic and say that

probably at least 70% of companies do a tabletop exercise in some part of their

organization, and it may not be a formal tabletop exercise doing everything end

to end, but they do some form of what could be considered a tabletop exercise.

But, okay.

So I should have specified a tabletop exercise for the

purposes of cybersecurity.

What do you think?

Yeah.

Yeah, I would probably say

Yeah, I think, I think you're being generous, but our listeners

are better than the average.

Our listeners are above average, and this is why they're listening to the show.

Uh, so, uh, let's just start from the beginning, Mike.

If somebody wanted to, they've, they've heard, they've heard that they should be

doing tabletop exercises for the purposes of being able to successfully respond to

a cybersecurity event, a ransomware event.

What's the first thing that they should be, uh, doing if they wanna do this?

What,

you get there,

yeah.

define what a tabletop exercise is?

Yeah.

Okay.

That sounds good.

Uh, so, so basically it's a, it's a prac, it's a practice run, right?

It's a practice run where you sit out there and you, you, you, well,

we're gonna define all the things that go into it, but basically you're

sitting around a table talking about.

This fake event that may happen to you at some point, and you basically

talk through, it's like, uh, you know what, um, to go back to movies.

It's like a table read, right?

Uh, you know, you're, you're film.

what a table read is

Oh, shut up.

Oh, come.

Okay.

All right.

A table read is where they get the script for the first time and they

all sit around a table and they just go through and read all the lines.

They don't, they don't act out anything.

They don't actually do the thing.

So it's like a table read, but for, um, yeah, I watch too much movies.

Um, so how, how, how's that for a, a definition, Mike?

It's pretty good.

And I think a good comparison would be, you know, uh, more of a simulation,

like a, a crisis or disaster simulation where there's, you got actors out in

the field and they've got the, the fake, you know, trauma, blood and makeup on,

and people are actually like physically interacting, going out and getting

victims and bringing back, triaging, wrapping 'em up, you know, assessing

them and, and that kind of thing.

That's more of a, a true simulation.

Right.

a tabletop to your, to your comparison to a, a a, a script review.

It's, it's, you're, you're reading from a, a manual, from a script, uh, in

the same room, uh, kind of stationary.

Right,

to apply some, some level of imagination, as you go through the script.

Um,

right.

but yeah, it's table tabletop because you, you, you're all at the

same table or, or virtually at the

hence the name.

Hence the name.

Uh, so good by the way.

Good job Prasanna.

I, I always,

That's why you keep me around.

I always forget to define stuff, so, all right.

So what, so back to my question before I was so rudely interrupted.

Um, what, so if, if we're thinking about doing this, what's the first

thing that we should be doing?

Well, in addition to understanding the, the difference between a tabletop

and a simulation, understanding the, the kind of categorically what are the

different parts of a tabletop, uh, and there's, there's really kind of five.

There's the, the.

Preparation, the planning, the execution, the review, and then the remediation.

and so the preparation part, you, you wanna make sure that

you've kind of got your ducks in a row before you go to the pond.

Uh, and so just jumping into a tabletop, let's do one tomorrow.

You wanna make the, it's not as, it's not gonna be as valuable as if you've done the

analysis of, are we ready for a tabletop?

And when you talk about cyber, cyber, cyber, tabletop exercises are related

to cyber incidents like ransomware or denial of service attacks, or the theft

of intellectual property or, uh, you know, employee misconduct type of thing.

All right, so what, what do we have in place?

As far as procedures and incident response plan, do we, do we know who the

key smart people effective people are?

Do we know management's expectations for communication and escalation?

Do we have management's blessing to have the authority to respond to this incident?

And who's gonna be in charge?

And so there's this, the litany of, are we even prepared to do a tabletop?

So that's the.

Yeah.

and for the prepared one too, Mike, I guess one of the things

is like doing a tabletop exercise.

You want it to be valuable, but it could potentially also be.

Expensive, quote, unquote, expensive, right?

Just because the number of people you're pulling in, who you're

pulling from their normal daily jobs, right, to do this exercise.

So you don't want it to just be like a waste of time for everyone.

Agreed.

Yeah, I, I, I, well, let me ask you this.

Let me, let me.

Let me argue with you and tell me why I'm wrong and that's okay.

Um, what if the purpose of this tabletop exercise is to show just

how badly we are prepared, uh, or poorly, just how poorly we are prepared

for, for a cybersecurity event.

Um, there could be some value in that.

It might be highly demoralizing and I agree that, that, you

know, Prasanna, it would be, um.

Expense.

There is a cost associated with it.

Uh, what, what do you think of that, Mike?

I've only seen that as, as a successful tactic one time in like 14 years.

Uh, and the reason for that is, you know, if, if you're the, the technology.

or the security executive, and your job is to protect the company and make sure

things can continue operation in the face or as a result of an incident or disaster.

let's say you've been asking for budget and resources for years and you're

not getting it for whatever reason.

So hey, let's do a tabletop to show the magnitude of deficiency

that we are are currently in

Right.

management can.

Can see that we, we need the help.

what that does then is it documents your deficiency.

Mm-Hmm.

now

to

discoverable, it's, it's also discoverable if you have an event and you get sued.

Um, but also politically, don't know of many, uh, many technology or security

executives that wanna put themselves in that position of documented failure.

and management is gonna see that as, oh, you're just trying to get leverage.

So it, politically it's a bad move.

I've only seen it, successful one time.

Um, and that was a pretty unique situation where the, the management

team was, was pretty collaborative and, uh, it wasn't for leverage.

It wasn't because they weren't getting the resources.

It was true learning experience for, for everybody.

And it was quite a while ago.

So that went really well.

E everybody went into it.

the same page with the same expectation of, of learning

and identifying weaknesses.

But today, in, in most of the environments that I experience, uh, or, or work

with, they, that wouldn't go over well.

Yeah, that's,

IT shop security guys,

that's,

they want, they want to, they wanna practice before they go to the game.

yeah, that, that's a really good point about the fact that you know that

it's discoverable and also that, um.

Politically, it, it is a, it is a difficulty, right?

It's one thing like, like I've done in, in, uh, you know, in my backup and

recovery days, I've documented, um, you know, I've basically demonstrated,

hey, we are unable to meet.

I.

The recovery time objective that you have specified.

Uh, and, and so that's kind of where, what I was thinking, but it's probably

a little bit different than here.

Um, and because in there what you're demonstrating is the deficiency

of the system that you had, you know, that, that you have not the

deficiency of the team itself.

Um.

in place.

Yeah, so it's okay.

So you're saying the first thing we do is we, so, so it sounds like we

need an incident response plan before we do, um, a tabletop exercise.

But you probably also need to figure out like what you're planning, like what

scenario you're planning to run, right?

So then you can make sure that you have those other steps, right?

Correct.

And, and there's hundreds of scenarios.

So one of the part of, part of that analysis, which scenarios do we

want to do, we want to base our, do we want to include on an instant

response plan, and then eventually te train on, in our tabletop, you need

to do an analysis of your business.

What, what's the most likely.

Threats and, and, and it could be any threat.

But then what, what impact would that have?

So you want the most likely, or the likely, but most impactful, uh,

threats then flesh out your playbook to then train on in your tabletop.

Is there a list of common scenarios somewhere?

I know it's gonna be unique for every company, but you like it's

one of those things where maybe you're not even thinking about

some of these scenarios, so I.

How

Be sure.

approach that?

Is that pulling in people like you who are experts at this and

can help them figure out what are

there's a.

scenarios?

Yeah.

a lot of different, uh, exercises and activities that can happen, uh, that lend

itself to, to good input to that exercise.

And one of those is a business impact analysis.

Go find out all the critical stuff in your business that helps your

business run and make money from that.

Then you, you, you often get those, um, those meantime to recovery type.

Metrics, like how long can this process be offline before we start

losing a lot of money, type of things.

So there's, that's great input.

Well then if, if you've got this list of critical things that if our

unavailable impact your financials or your operations or your reputation

or whatever it is, then from that you can then start to think, well, what

threats would impact that process?

And what are the common, what's, what, what are all the common themes

like, uh, internet access or email access, or our phone system or this

critical, you know, our, our ERP or financial system or, and then, and

then just keep working backwards.

Yeah.

Uh, and then

truly just more, most likely, statistically, most likely

threats that are out there.

Ransomware is huge, uh, in any environment where you've got end users that.

Interact directly with your production environment.

Uh, but ransomware has a couple of different flavors and one is delivered

via phishing emails and downloads, and the other one is delivered through.

Unauthorized access as a result of vulnerabilities or some other

weakness in your environment.

So again, what's the most likely scenario there?

Is it hacking into our network or are users clicking on

something they shouldn't?

And what controls do we have in place and what would the impact be?

And so I'm kind of going down that, that rabbit hole now, but.

Sitting back and, and thinking, for example, if, if we are a

company that develops new stuff.

So our intellectual property is very important to us.

The threat would be insider threat, stealing our intellectual property

when they go to a competitor or, uh, you know, nation state hacking us

to get our intellectual property.

Or we're transferring data, whether it's backup tapes or to a cloud, or to a, uh,

you know, we design the stuff, but we ship it off to a, a place to manufacture it.

And the process for doing that.

So that could be all be related to intellectual property theft.

Well, what's the impact?

Well, I'm sure there's financial impact.

There's market, market share impact.

There's legal impact, uh, reputation.

Um, and so is that more important than ransomware?

Shutting down our environment for two weeks or a

Yeah, that, that, that's a really good point.

You know, you, earlier you talked about, you know, what's highly likely

and what's impactful and that, um, you know, you, you need to do a balance.

Of course, there's nothing wrong with doing multiple tabletop exercises, right?

Um, do the, do the less likely but more impactful, the more likely, but less

impactful, um, what might be more likely.

more than one

Good.

exercise.

You know it, it sounds like this all day, all week thing.

Right,

Most tabletop exercises last maybe an hour or two.

And so if, if you've, if you've got the, the ability to allocate

resources to an entire day, you might be able to get two or three, uh,

right.

So we figure out, we figured out the.

You know how prepared we are and whether or not we're prepared to do this, we

have decided the scenario or scenarios that we're, uh, going to do what's next.

So now we need to determine, um, the format.

Is it, is it just the core team?

Uh, so.

The incident response lead, the subject matter experts, the stakeholders involved,

that, that would provide input and decision making, that kind of thing.

then there's the third parties, like external legal counsel and your

insurance company and law enforcement.

and then there's the observers, uh, other, other people in management or your board,

uh, or other employees that, uh, maybe.

be good to observe, uh, the intricacies of incident response and what's involved.

There's, there's a feedback on that's usually pretty good.

Like I had no idea it was that complicated.

and so that there, there might be value there, but most, most organizations that

are doing their first tabletop wanna kind of keep it tight in case they mess up.

They don't want everybody to know where they're.

Whether their deficiencies are, but that next stage after you've determined

the scenario is to, uh, identify or define who's gonna participate,

gonna run and moderate this.

Exercise, usually that's a third party.

Uh, have an objective, uh, you know, someone that's not been in the weeds every

day and doesn't know all the intricacies so they can, they can ask some good

questions and throw some good curve balls.

Uh, you know, just when your team knows what the all the plays are,

uh, the, the moderator can, can, uh, throw a monkey wrench in there and see

how, how, how, how the team reacts.

this start,

sure you have.

this starts to sound like d and DA little bit.

And I thought that's where you were gonna go earlier.

Uh, when you were gonna explain how a tabletop went.

It, it is very much like a, a role-based, uh, table game, uh, table based game.

And then, uh, make sure you've got a good scribe, somebody that can take good notes.

And one of the things that you wanna make sure you highlight

are what we call the aha moments.

Like, oh yes, you know, you can tell when there's an aha moment.

Those aha moments can be good.

Like, Hey, that's a great idea, or, I'm glad we did it that way.

And they could also be the, I didn't think of that.

and so we need to capture all the good and the bad and, and the, the curious.

Um, so you, you've gotta put that kind of planning into, um, into game day

So deciding, deciding who's deciding who's gonna be there

and who's gonna do what role.

Right.

And then, and then some, some ground rules.

Uh, so I always start with some ground rules and I make sure everybody that's

participating and agrees with those.

And, uh, one of those ground rules needs to be that this tabletop is a safe place.

We're here to, to talk and collaborate and, and, and, uh, go through this

exercise for the benefit of the company.

You know, there's no stupid questions.

No one's gonna be fired because you didn't know, or, or you, you challenge, uh.

Um, a decision or, or a comment, uh, it's meant to be

productive and, uh, constructive,

No blame

correct.

Yeah,

you actually

go ahead.

to execute or, so you've set, so you've found the people, you know

the scenario, you set the rules.

I'm guessing you just sort of play the game.

Right.

And so you, you start the tabletop with, uh, uh, and sometimes it's,

it's good to provide some statistics or maybe some background information

to support the, the magnitude or the gravity, uh, of the exercise.

So.

Maybe recent statistics on cyber or whatever that particular threat is.

Um, if you're gonna invite law enforcement, a lot of times they'll

bring those numbers and do a short presentation, uh, which has

always been good and interesting.

Uh, you lay out the ground rules, uh, you describe at a high level

what the scenario is gonna be.

Um, and then you start with step number one.

Uh, so and so observed this, or this event happened and it was

reported to whoever who then.

Uh, reviewed it, uh, categorized it, classified it as an incident

of whatever priority, and kicks off the, the incident response.

And then you hand it over to whoever that person is and say, so what do you do next?

I call Jim and this is what I do.

And then you go to Jim.

All right, Jim, you got the call.

What do you do next?

And you just, it, it's truly role playing.

Um, turn by turn and.

the list right of their playbook, if you will.

and there is a little bit of discussion.

All right, so why did you do that, Jim?

Or what do you think about that?

Or how do you think that could have gone differently?

Um, and so there is a little bit of interaction.

Uh.

In process, but for the most part, right?

Yeah.

Everybody's gonna talk about what their role and responsibility

and activities are, and, and we're gonna capture all that.

And if it, if it's lined up with the playbook that we

came to the game with, great.

But in many cases, I would say at least half.

got some action items that come out of this to make things better.

You know, one of the thing,

oh,

one of the things that I've seen from, um, common cyber events has been that it,

it doesn't start, the cyber event doesn't start with, you get this big message on

your screen, you've been attacked, right?

It starts with, you know, the.

West wing air conditioner unit is not working the way it's supposed to.

Right?

It's like you have this random, random thing.

It's like, oh, that's odd.

Why is that happening?

Uh, when, why it's happening is that you have an underlying security event, right?

That's happening.

Um, I, I wonder what, when you, when you do these, when you do a tabletop.

Is that the kind of thing you give them, or do you give them a little bit more

blatant, you know, um, you know, you, you've, you, you know it's happened.

So one of the, one of the good things about a moderator that's been through

a lot, uh, is that to your point, you know, this, this weird thing

happened and we want to address, we want to triage this, we wanna stop the

bleeding, stop the, stop the incident.

But at the same time, there's gotta be some people.

Tasked with determining root cause, worst patient, zero.

Uh, what were the things, the, the symptomatic things or the observable

things that could have been escalated prior to this bad thing really happening?

so to that point, and I think your analogy's a good one.

Is that we're not just addressing truly techno uh, technology based, uh, events

and metrics and observable things.

We also want to go back to the people, the eyes and the ears

see something, say something.

So do we have a good security awareness program?

did Bob or Sally see that air conditioning thing misbehaving some time ago?

Weeks, days, months.

is there a way to, is, is there even a mechanism for them to report that?

Because if they just make a comment to a coworker or a supervisor, well then

there's gotta be a way to communicate that to people that need to know.

So is, is there even a mechanism for that?

But to your point, right?

So we, we want to.

We want to expand the value, uh, of the tabletop as far as we can

without diluting the, the focus.

Um, but those observable, teachable, um, expandable moments, uh,

are, are definitely brought up.

Um, and so that's a good, I'm glad you brought that up.

'cause that's a absolutely, it's, it's the moderator's job.

Uh, to know how far outside the true storyline we can go, how

far off the path can we go and still add value to the exercise?

And so it looks like the moderator has a critical role to play in

the actual execution of the,

Mm-Hmm.

of the tabletop exercise.

And I know you mentioned sometimes a lot of this comes with experience.

How do you even find the right moderator?

Right.

Because like you mentioned, you probably don't want someone who's

internal who knows the details of the systems and the inner workings.

You want someone who's experienced in cyber instance incidences or

whatever else you're focused on.

But how do you, as a company, like I'm going out and seeking

out a moderator, how do I know?

Like what are the questions I would ask to be able to determine, is that a good

moderator for my tabletop exercise or not?

Usually there's, there's profiles for, for tabletop moderators.

They're also call 'em breach coaches.

Uh, and they, they run from the, kind of the gamut, from true cyber focused.

You know, former CISOs and, and people that have been in the trenches, uh,

that actually had to wear those shoes.

Uh, and then some other breach coaches are on more of the

advisory or even legal side.

Like one of my, one of my favorite breach coach collaborators is

an attorney and he's been a cyber attorney his whole career.

He is never spent a day in it.

Uh, but he's been involved in hundreds of breaches, so he's seen.

The battleground, and he is been through the game he's seen what,

what's worked and what's not.

And then based on all that experience, also giving some good advice on how

to, how to make them more resilient to, to future, uh, incidents.

So my advice would be, uh, and you can search, usually it's called,

you know, tabletop exercises.

You know, the, the, the service providers out there usually list it.

Like that.

and then for those that are providing the service from that company, you've

got a, a profile, usually like a resume that you can, you can review.

And it seems like the, the.

Actual experience with actual events would be a really big, because

like you said, they can draw on all of these different things that

have happened to them, um, both in terms of how the event got started.

And things that happen throughout the event, right?

It's like, okay, well now you just lost power or whatever,

whatever types of things that happened throughout a cyber event.

Um, you've got to have a lot of experience to be able to

draw on those kinds of things.

And, and I'll, I'll, I'll make an example that, that you

can probably truly relate to.

'cause that backup tape drive works the same every day and it works good.

And you know, you know the hiccups.

I guarantee you that does not work the same on the day.

You have an incident.

You've gotta restore something.

It's just, that's a Murphy's Law

Yeah.

someone.

Moderating your, your tabletop, that's familiar with how Murphy's Law works?

Yeah.

I.

I often, uh, say that the success rate of backups is inversely proportional to the

degree to which you need that data, right?

Absolutely.

Yeah.

Absolutely.

Yeah.

Um, all right, so we've, we've, so we've done our event, right?

Um, and we, you know, you had, you had a good scribe captured those aha moments.

Um, now what, and no one cried.

Maybe somebody cried.

Um.

I've,

But

happen.

I'm sure, I'm sure this is so hard.

Um, I could just see that.

Um,

Well one of the things, one of the things too, and before we get off the,

uh, off of the execution part, uh, I wanna stress the importance of, um.

Accountability.

So even though it's a safe place, we don't want to happen is walking

through a scenario and somebody go, well, let's just assume we do.

We do have that, and let's move on.

Let's just assume, don't we need to move, we need to work through this because we

need to know how it's gonna flesh out.

So I wanna stress that, that when you're playing this game, don't just

No, it's not.

right?

Uh, because.

And I've got a, a case study where we assumed, or I say we, it was the,

the response leader, let's assume we have that and let's move on.

And kind of, um, uh, not directly, but I tried to passively come back to

it multiple times during the tabletop and each time it was met with, let's

assume we have that and move on.

Not, not six weeks after the exercise.

They actually got hit with that, that particular incident in real life.

And that assumption, uh, really came back to bite him because they

assumed this in the tabletop, it was not captured as a remediation item.

Um, and that was one of the downfalls of their, of their incident response.

That,

was false.

Right.

that reminds me,

that is true.

Yeah, I like that.

And I, I can see that, I can see wanting to do that.

It's like, okay, we don't have that person here.

Let's just assume that we have the thing right.

Nope, he's not here.

What do we do if he's not here?

right.

He's

Yeah.

He gets hit by a bus.

Yep.

Yeah.

and I've done that too.

All right.

You're the incident response team leader.

Let's go through this.

And halfway into the incident response, I go, all right, you fell sick.

'cause that pizza you ate for lunch took you out.

And so who's, who's, who's, who's the assistant coach.

And we actually ran into a problem there.

'cause three people thought they were the assistant coach.

And so there's a

Uh.

of, you know, right.

Who's gonna take charge.

But then, sorry.

So after, after we finish the execution and we've got.

and good notes.

We, we wanna review, we want to debrief.

We wanna make sure that what we heard, what we collected, uh, what we documented,

uh, was, uh, concise and, and accurate.

And then naturally, as, as, you know, maybe, maybe I'm saying something, I'm

responding to something or I'm walking through my activity, my playbook and

my part's done, I hand it off to you and now I'm listening to your response.

Naturally as, as people with responsibility and instant response.

I'm gonna think about what you're saying and, well, what

could I have done different?

Or, or maybe I've got thoughts about what you're saying.

So the, the debrief gives an opportunity for the participants to add more comment

or thought or, you know, something came to mind or, you know, um, me

add to that or let me correct that.

And so the debrief is important.

Before everybody leaves, we want to capture all that before the end,

before people go back to their day job.

All right, well then the scribe and the moderator to over the, the coming days

to make sure that there aren't any un un untied strings or unle questions.

And we're gonna, you know, there's an opportunity to, to ping the,

the participants one more time, uh, because maybe they also made

reference to something and, all right.

Well.

Lemme know when you get back to your desk, you know, type of thing.

So we, we've, we've got a period of time to wrap this up, and then

we want to document this in a summary with detailed action items.

All right?

This is what came out of the, the tabletop.

Uh, we, we, we need to update this.

Uh, we need to find a resource when, when Bob doesn't show up, we need

to talk to our insurance company about having a, a good contact.

We need management's approval for, uh, when to involve law

enforcement, whatever it is.

We've

Yeah.

this action plan we need, we need that stuff to be addressed.

It came out of this incident response as things that we need

to do to be more effective.

It has to get done, and that is as important as conducting the exercise

because you now know where your weaknesses are where, where, where you need to

improve in order to be effective.

Without that stuff, you're going to fail the response to whatever that incident is

and more than likely back to Murphy's Law.

That particular incident that you just trained on that you didn't fix is

gonna happen sooner than it would've.

Yeah.

Uh, well, you know what, this brings brought up a thought for me.

You know, we talk a lot about doing disaster recovery testing, and,

um, so my question is, what is, is there a, is there a, is there a pass

or fail for a tabletop exercise?

You know, what's considered a success is something, is, you know, I, I would think.

I don't know.

I'll, I'll stop talking.

What would be considered a success and what be, what

would be considered a failure?

There is, and, and what what success is would depend on what the incident is.

So if like it was incident, if it was intellectual property theft, success

would be determining how it happened.

Having enough evidence to prosecute whoever did it

right, that would be success.

in, uh, ransomware success would be a hundred percent or majority.

Recoverability without having to pay a ransom while also figuring out

how the ransom infection happened.

That would be ideal success.

But there's, there's levels of success as well.

Uh, simply getting the, the company back up and running with minimal financial

impact, uh, would be considered success.

Uh, and so defining success is one of those criteria that you

definitely want to, uh, lay out at the beginning of an incident.

Uh, based on what's going on, here's what we're gonna focus on.

Mm-Hmm.

our target is, and that's collaboration with management.

That's not just it, you know, setting the, setting the bar and, and,

and shooting for that objective.

It needs to be collaborative.

and then absolutely there's failures.

I.

is not being prepared, not understanding the business, not, not having good,

not having identified the right resources that you need to be effective

in response, not getting along.

I've seen that several times in an incident response tabletop, people

just, I'm not working with you anymore.

I, I quit.

I haven't had it, and I quit.

But there's definitely people that, that have had some, some contentious

or, you know, some animosity and you put 'em in a room in a.

And you're, you're, you're pointing fingers, all right, you're next.

And they're like, yeah, I'm not playing anymore.

And, and I've seen that.

Wow.

Yeah, that would be a.

that brings, brings sli a uh, uh, a risk that needs to be addressed.

Maybe that person shouldn't have that responsibility.

And I think at least doing this exercise, right, so you've gone

through this entire process.

You figured out the remediation steps or the gaps that you have today.

think that's such a huge step forward for a company because now you can figure

out, okay, how do I address those?

What are the skillsets I need to bring in?

What are things I need to modify my processes in order to make

sure that I am able to recover from some of these incidents?

And it is really huge too in, in, in very well established environments

that have never been tested.

They're, they're so complacent with how everything's always worked.

Everything's fine.

Everything's worked well forever.

I.

I've been here for 20 years.

Well, that's great.

It's worked well from your perspective without any outside influence.

Let's add some of that.

Hmm.

Yeah.

perspective outside influence and see how things go.

Yeah, I, I, um, you know, talking about, you know, the way people interact, it,

it, it would seem, and while, while it is a safe space, you know, you're,

you're observing and you, you get to see how different people do under pressure.

Um, you know, I'm, I'm thinking back to, I used to work for this company

that used to u that used to ask.

Really bizarre interview questions.

Not as bizarre as the, like how to put an elephant in a refrigerator.

I dunno if you're familiar with that series of questions.

They were more like you're writing a shell script and instead of pound bank,

Bens h at the top, you put Pound bank, Ben Echo what would happen, right?

And it, and it was for, it had two purposes.

One was.

If you could successfully answer the question, um.

Then it showed that you had a really good knowledge of internals,

but if you couldn't answer the question, it was just as important

to see how you responded to that.

Right.

And if basically, and we had interviewers just walk out

like, this is a stupid question.

This is, no one would do that.

No one would put Ben Echo at the top of the script.

Shell script, this is stupid.

And they would just literally walk out.

Okay, you failed the interview.

Right.

And so I would, I would think that that's, that, you know, you talked about dynamics,

you talked about pe, people getting, uh, you know, animosity to each other.

And, and I'm sure that at some point there, even though we're not supposed

to, I'm sure there's been some yelling and a few tabletop exercises.

Would that be a fair assumption?

There has and, and, well, not yelling, but definitely raising the voice.

Yeah.

Yeah.

Um, yeah.

And, and.

So I think the only, the only truly failed tabletop exercise, in my opinion, would

be one that, that just, you just never do.

Right?

Um, and I think that that's what multiple people, I, I think that's what a majority

of people are doing or not doing, is that they're just not doing these for fear.

Of those things for fear of being exposed, for fear of whatever.

But the only thing I can say to them is, well, you know, um, it, you know,

it, it, it remind, have you seen, um, Glen Gary, Glen Ross, the movie?

Um, okay.

It, it.

If you watch nothing else, just watch the opening scene with, uh, Alec Baldwin.

And, uh, there's a li he's, he's, he's yelling and screaming at

these, um, at these salesmen.

And he basically, he said, one of the lines he says is, you, you, you

can't handle what I'm, what I'm, what I'm saying to you right now,

if you can't handle this, how are you gonna handle the abuse that you

get when you go out on a sales call?

Like if you can't handle a tabletop.

Imagine an actual cybersecurity event where you didn't do a tabletop and

you're, you're not prepared at all.

Um, which I think is the majority of situations.

Right.

Um.

And, but I think there's a misconception there in that tabletop is this

point in time thing, uh, that they don't, that they're afraid of.

'cause they're afraid that they're gonna fail.

But really the intent of doing a tabletop requires that you do

some planning ahead of game day.

So that.

Right.

better prepared to play the game and that that preparation is where

someone like me would really walk you through you need to be successful in a

tabletop and make sure that that's in place before we we go play the game.

Yeah.

Yeah.

And I think if you define the success of the tabletop is a successful

tabletop helps uncover, um, weaknesses that we can then go address.

Right.

That would be a successful tabletop.

Yeah.

It

And if, and

expected.

yeah.

tabletop I've ever done has had opportunity for improvement.

Yeah, it's just like when, uh, Pana, you know that I say this a lot that we,

when we used to do disaster recovery exercises, we define success as.

Because we would do a DR test where, uh, I was the one in charge of backups, but

I was not the one running the DR test.

And a, a, a success was they, they made it from A to to Z using

nothing but my documentation and never having to ask me a question.

Never once did we succeed by, by that standard, right?

Everyone has, uh, deficiencies.

In every part of it, in the job of doing this.

And I like, by the way, I like you talk, you said it, it, it's, a lot

of people see it as a point in time.

Another thing is that you don't just do one tabletop and then move on.

You do regular tabletops.

What, what do you think is a, is a, a good frequency for people to do that?

As often as possible, uh.

At, at a minimum once a year,

Uh.

you pick, because once a year is really as, as often as.

You know, collectively the business reassess itself.

You know, that's where we update our strategy, uh, both on the business

side and the technology side.

That's where we look at our, if, if we've got audit work or risk

assessments, we look at all those things.

So once a year is, is common.

Twice a year would be great.

Quarterly would be amazing.

And if you're doing 'em quarterly, you're really cutting this down to.

You know, a a, a well-oiled machine, you know, doing 'em once a year.

That's probably two hours on game day plus maybe an hour or two of,

of planning ahead of, and then all the logistics of, you know, people.

People's schedule and everything, if you do them quarterly, you can

break u Usually it's a smaller group.

you can really focus tactically on whatever the scenario is and just, you

know, just record it in a team session and you don't even have to have a, a scribe.

Um, and it becomes this, this, this, uh, scheduled event that, that you just,

know, it's, it's like going to practice

Yeah, and you're developing muscle memory.

Did, did you just say muscle memory

I did say

at the same time?

Look at that.

I love it.

I love it.

That's a great way to.

the other thing to consider with tabletops is, uh, it's actually a

benefit in, in a couple of ways.

You're, and especially if you expand the, the participation to

include your insurance company and law enforcement, some others.

improving the perceived effectiveness of your organization to people that want

to help you, you learn something too.

Like a lot of organizations think, I'm not gonna call my insurance

company until I fee, I think I'm gonna have a claim or, recover, so

I'm gonna have to pay the ransom.

So I gotta call my insurance company.

But if you ask the insurance company when, when should we call you?

They're gonna tell you as soon as you think you have a problem.

Yeah.

we've been through a lot of this stuff and we can also help guide you.

Right.

say Bob didn't come to work that day and he's on your incident response

team and he's your database expert.

what are we gonna do now?

Well, your insurance company probably has a vendor on their approved list that's

a database expert that can help you.

And there's, I mean, they're a great resource and a lot of, a lot

of organizations don't realize, or they're hesitant to involve.

Insurance company.

Their insurance company.

When, when something bad happens, they're afraid it's gonna, it's gonna ding them

like getting your windshield repaired.

Yeah.

they're, they're afraid it's gonna impact their, their

premium next year or whatever.

But really what it's doing is adding, it's adding value.

Um, and, and there's a perception there from your insurance company that you guys

are, what, you're being diligent, uh, ahead of, uh, a true incident happening.

All right.

Well, thank you.

Uh, thank you once again, Mike.

You are welcome.

All right, and thanks, Prasanna.

You enjoying this?

I am, I'm learning something new.

It's kind of

I, I love learning.

I love learning

whenever I think about tabletop exercises, for some reason I think about the, uh,

the game battleship for some reason.

you song.

My battleship.

I like it.

All right, well, thanks again to our listeners.

We love you.

Uh, you're why we do this.

Um, and uh, that is a wrap.

The backup wrap up is written, recorded, and produced by me w Curtis Preston.

If you need backup or Dr.

Consulting content generation or expert witness work,

check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that

you hear are those of the speaker and not necessarily an employer.

Thanks for listening.