12 Guides on How to Conduct a Tabletop Physical Security Exercise
A tabletop security exercise is a discussion based interactive session where stakeholders meet in either formal or informal setting (meeting or conference room) to discuss roles and expected responses in the event of a particular security breach. Other types of security simulation include drills, penetration test, seminar, or conference. A security practitioner grounded in operational risk management should leverage tabletop exercise as a vital tool for emergency preparedness and management. This should be a budget-based project; knowing that security team’s resilience and agility would depend on it. A security team who are conversant with exercises will outperform its peers who adopt nominal approach. To create and execute real-time issue-based tabletop exercise, first you should understand your organization inside out. The business’ critical assets, the threats landscape and the adversaries must be identified. The vulnerabilities which have potential to be exploited by threat actors should also be known. In the business world that is faced with increasing and complex threats; the question is no longer whether bad things would happen. They will surely happen, what is key how did the security team respond to them both during and after such incident? Typically, a facilitator would guide participants through the exercise. Taking them through a particular security incident narrative and raise question about what steps should be taken to response. It is usually better to syndicate participants for diverse perspectives and insights. Potential scenarios for tabletop exercises should include, although not limited to those threats which the organization has higher exposure to base on risk ranking. These threats will share similarity but may differ depending on the business, the industry, location, operating environment, and complexity. What should be the purpose of tabletop security exercise? The purpose of a tabletop security exercise should include to evaluate security team’s capabilities. The organization’s level of preparedness for security incidents and to educate participants of their roles during and after security breaches. Some benefits of tabletop security exercise Prepares security team for different case scenarios – that is good case, bad case and worst-case scenario. It builds team’s response skillset. Optimizes resource allocation especially during emergency. It sets up security team against adversaries and prevent them been caught unprepared. It serves as training tool – can be used to check out training requirement. It is cost effective, when compared to other types of simulation. How to conduct a tabletop physical security exercise Set objectives for the project: this will answer the question of what you want to achieve and provide clear insight to it. Reference the organization’s security plan: the organization’s security plan should be consulted to further guide on specific security incidents it has prepared for, otherwise general standard practices can suffice. Benchmark exercise on recent risk assessment: exercise should be preceded by recent security risk assessment which must have identified and prioritized the business’ security risk threshold. Consult team (downline and upline): getting input from internal stakeholders (within and outside security) as well as external stakeholders (industry practitioners) is highly recommended. Establish who is participating: identify persons or group who should play roles for the success of the exercise. Develop scenarios: create sequential narratives of security breach incident to be discussed. This should be done with open mind and a sort of intellectual humility. Run it on periodic schedule: security exercises should never be a one-off project, rather it should be scheduled to hold from time to time, e.g. monthly, quarterly, or annually. Set ground rules: rules must be set during the session to guide facilitation and moderation. For example, everyone must contribute to discussions, subject of discussion must not exceed allotted time, mobile phones to be on airplane mode, etc. Do hot wash: use hot wash to generate recommendations, insights and take-aways. This should be the crux of the tabletop exercise project. Document recommendations: for reference and archive, documentation of the entire exercise especially the hot wash is key. File project report: ensure formal communication is sent to appropriate authority. Create implementation plan: learnings from exercise will lose value if they were not practiced. An action plan to drive implementation of key learning is highly recommended. Threat actors are becoming more sophisticated in each passing day. They dedicate significant resources (funds and time) to plan and execute security breach. It is required that security team who are the defends against threats should devote sufficient time to rehearse how to frontally confront incidents when they come calling. Drill and exercise are regulatory subject in some industry, such as aviation and maritime. ALSO READ: Powerful Morning Routine Secrets: How Top Performers Start Their Day