Insider Secrets: Mastering Tabletop Exercises for Cyber Recovery Success


At cybersecurity events and in recent blog posts, I have mentioned how security and IT teams are coming together, or perhaps in some cases, still need to come together for a holistic approach to cyber resiliency. This integrative approach pays strong dividends if an incident occurs, as the teams are familiar with each other and have coordinated their process steps in preparation.

The more I practice, the luckier I get. — Arnold Palmer

It is rare to find a company where the security expert is also the backup expert. You will be teaming up with other colleagues and consultants with different sets of skills. Some examples of teaming I hear from customers range across very different scenarios, like:

  • A forensics deep dive where you can compare today’s data and configuration with previous recovery points to determine what changed, and when.
  • There could also be a staged recovery of a directory, system, or application, which must be reviewed or scanned by the security team.
  • Or a mass data recovery event, where you must recover a large set of IT systems back to a known good state. Those could be a simple set of tickets managed by two people or a massive exercise with 40+ people working to recover a complex enterprise.

Per NIST, tabletop exercises are "a discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.”

In the security realm, people talk about tabletop exercises as a crucial part of planning and practicing.

These exercises can involve representatives from various departments, such as IT, security, legal, and public relations, and all role-play a scenario(S) to test their response capabilities. Participants record feedback, issues uncovered, and potential corrective actions. Ideally, participants create improvement plans following this exercise. The improvements are then circulated, tracked, and managed to completion.

The benefits of tabletop exercises are numerous. Thankfully, there are a multitude of resources available. CISA provides some great examples of Tabletop Exercise packages.


Tabletop Exercises: Getting Started

Here are some of the challenges I have observed:

  1. Is the backup and recovery team participating with the security team?
  2. Where do you start if your organization doesn’t have a “tabletop” practice?

It’s great to have a CISO-led business continuity practice with solid governance, auditing, and regular tabletop exercises at various levels of scale and complexity. The reality is this structure is not always in place. So, start where you are. At some enterprises, this might mean introducing yourself to a counterpart and saying, “I’ve always wanted to learn more about your work.” That simple introduction can start the conversation about how it would look for the backup and recovery teams and security teams to understand each other’s processes, technologies, and people better. Once you start to know each other, then work towards an effective tabletop exercise that simulates known risks to the organization.

Another way to get started is to do an audit of your current cyber recovery capabilities. Veritas has created a checklist based on industry best practices, that breaks down establishing a foundation, managing risk, and then refining your recovery through recovery rehearsals and tabletop exercises. Get your cyber recovery checklist or learn more about how to Remove Doubt with a Cyber Recovery Checklist.


Unlocking the Benefits of Tabletop Exercises

Tabletop exercises foster teamwork and unity across departments. Just like team sports, practice drives improvement, confidence, and cohesiveness. Through joint exercises, team members can work cross functionally to understand each other's roles and responsibilities in a cybersecurity incident. This not only strengthens the bond between teams but also improves coordination, prioritization, and response times during an actual cyberattack.

Gap Identification

Hey, takin’ on a challenge is a lot like ridin’ a horse. If you’re comfortable while you’re doin’ it, you’re probably doin’ it wrong. — Ted Lasso

Tabletop exercises help organizations identify gaps in their security posture and response plans. By simulating different scenarios, teams can identify gaps in their current strategies and develop more effective incident response plans to address the weaknesses. This proactive approach allows organizations to fix vulnerabilities and improve their processes before a real cyber incident occurs. This can feel uncomfortable, but it’s the key to improvement.

Learning Experience

Your body is like day-old rice. If it ain't warmed up properly, something real bad could happen. — Ted Lasso

Tabletop exercises provide key learnings for participants. Through role-playing and simulating realistic scenarios, team members can practice and improve their skills and gain firsthand experience in responding to cyber incidents. They can safely learn from their mistakes and understand the impact of their actions in a controlled environment. This growth mindset approach helps individuals develop critical thinking skills, improve decision-making abilities, and enhance their overall cross-functional cybersecurity knowledge.

Avoid the Panic Button with a Cybersecurity Blueprint

There's two buttons I never like to hit: that's panic and snooze. — Ted Lasso

I love thinking about this in terms of security preparedness. You don’t want to panic, and you don’t want to put off making a recovery plan any longer. Tabletop exercises help organizations build resilience and prepare for the unexpected. Cyber threats are continuously evolving, and organizations must to stay ahead. With tabletop exercises, teams can anticipate potential threats, develop mitigation strategies, and improve their ability to adapt and respond to new and emerging cyber threats for better business resiliency.


Recovery Rehearsals with Veritas 360 Defense

I recently discussed tabletop exercises with a CISO at a large US financial institute.   This organization is extremely advanced in their cyber capabilities. They mentioned regularly holding small-scale drills quite successfully. Those drills helped the teams work together to identify gaps, document the right processes, and figure out how to effectively work together. However, they still expressed uncertainty about recovering from a massive event in a timely fashion to meet the business objectives. It’s understandable, even the wealthiest firms can’t stand up a 100% copy of their infrastructure just to practice. I loved their hunger to improve and keep scaling up defense and recovery capabilities to match the risks they could face. This is the challenge we’re actively working to solve: how do we take the same policy-based automation, which is normalized for backup, and apply the same blueprinted easy button, not just for “special applications”, but for for all enterprise data. Spoiler alert, we’ve already delivered non-disruptive recovery rehearsals and we’re hard at work expanding that capability to make it simpler to deploy, available by default, for every workload.

At Veritas, we have already developed the Veritas 360 Defense, which brings together core capabilities from the Veritas portfolio, with pre-integrated solutions from our ecosystem of cybersecurity partners. Veritas 360 Defense can help harden your security posture, reduce the impact of single- and double-extortion ransomware attacks, and ensure recovery with the speed and confidence necessary to boost resilience. This includes the non-disruptive recovery rehearsals so your team can fully test your recovery plan with the assurance you can recover all your data.

Learn more about how to bring together your data security, data protection, and data governance for complete cyber resiliency with Veritas 360 Defense.

Tim Burlowski
Global Lead Cyber Resilience and Data Protection Strategy