, ,

Transform Your Routine Tabletop Exercises

Let’s build on our earlier discussions of cyber resilience. To recap, cyber resilience is a holistic way of assessing and addressing single potential points of failure including people, processes, and technologies.  

Resilience is an outcomes-based approach rather than mere prevention because it focuses on business service continuity and financial priorities. In short, cyber resilience as a strategy is a way to ensure public sector entities can take a hit in the mouth and keep going.  

Knowing that, how do we apply cyber resilience to vastly improve the tactical activities like traditional, service recovery tabletop exercises? Even the best-laid plans can go wrong when introducing the “human factor.” How can we mitigate accordingly? In this article, we’ll run through what service tabletop exercises are and discuss the best practices to ensure their utmost effectiveness toward service continuity.  

Just what are service recovery tabletops? 

Depending on the government agency and/or its mission, definitions can vary. However, at its core, a service recovery tabletop exercise is an informal, discussion-based activity where a team discusses their roles and responses in cyber-related events or disasters where services can be disrupted.  

As the name implies, a tabletop exercise occurs around a table, where participants respond to the given prompts and description of a scenario with suggestions based on previously established emergency plans. They are highly effective when emergency plans have already been put in place. The intention is to build the muscle memory to react quickly and effectively when the “real deal” occurs. 

Take action to break down the silos! 

Government processes, budgets and resources are often fragmented. Cybersecurity is often relegated to its own siloed discretionary spending bucket. Even CISO risk approaches and goals are focused solely within a security silo. This severely limits the CISO from a broader business exposure and prevents the associated understanding of what drives the services or business outcomes of their organizations. 

Breaking down these silos is fundamental to cyber resilience and effective service recovery tabletops. It’s important to foster cross-functional dialogue and instill collaboration among business, financial, technology AND security stakeholders.    

Your team must prepare accordingly BEFORE a service recovery tabletop.

Every service recovery tabletop should incorporate these five key steps before even conducting the tabletop exercise itself — like doing calisthenics before you exercise:  

  1. Identify the critical services and/or outcomes your agency produces.  
  1. Deconstruct the services and outcomes to understand what data, people, and applications that facilitate the process to produce the services/outcomes.  
  1. Identify single points of failure (both security and non-security).  
  1. Assemble your cross-functional team to rank the single points of failure by criticality. From there, work to mitigate the most critical items first working down the list to less critical. 
  1. Make sure all critical data stores have an immutable backup or a full cyber recovery solution applied.  

Work out the kinks, dig deep and exercise those simulation muscles. Don’t just fake it through. 

As the famous boxer Mike Tyson said, “Everyone has a plan until they get punched in the mouth.” 

Personally, I have trained extensively in boxing, mixed martial arts, and Muay Thai. The underlying principle is to make the training harder than any fight you may encounter.  The same principle applies with executing these simulations. As with any type of exercise, be it boxing or cyber-related, the key is to practice, practice, practice. During the simulation, with your cross-functional team, it’s important to identify scenarios such as a security attack, pandemic, or natural disaster response.  

From there, test and simulate these scenarios to determine service impact. Then, reflect on lessons learned and apply continuous improvement for less than proficient responses. Additionally, be sure to adjust processes, controls, and other factors to get the desired performance.  

Don’t forget to periodically assess, with more recent plans of action for non-proficient responses, to retain the organizational muscle memory and performance during a disruption. Remember, the key is not simple prevention. It’s about being able to take a hit in the mouth and keep going.   

Want to bolster your cyber posture? Learn how you can build up your organization’s cyber resilience through your network and applications here 

 Jonathan Xavier Ozovek is the Chief Transformation Officer of SLED for Iron Bow Technologies. Previously, he was the Chief Operating Officer (COO) of the Virginia Information Technologies Agency (VITA) and Deputy CIO for Virginia.  Under his leadership, the state dramatically improved time to market for new services, scaled best-in-class cyber security defenses, launched first-in-the-nation services, and achieved record customer satisfaction while simultaneously saving the Commonwealth over $200 million. In addition, Jonathan specializes in research, development, and innovation with focus in artificial intelligence, predictive analytics, and machine learning and holds patents across multiple industries.  As an expert in Cyber Resilience, he invented the first Resilience as a Service (RaaS) Methodology. Additionally, he has designed systems ranging from a predictive commodity trading system to a medical device research and development Enterprise Program Management (EPM) system. 

Leave a Comment

Leave a comment

Leave a Reply