#CSOOnline just dropped a piece titled "7 tabletop exercise mistakes that sabotage incident response". In this article, experts from different firms discuss where most companies get their crisis preparedness wrong.
Here's what they found:
1. Exercises without clear, measurable objectives drift into "discussion theater" - Sharon Chand, Deloitte
2. Teams freeze when real incidents don't match practice. The fix: deliberately introduce incomplete information and conflicting signals. "Because that's what real incidents actually look like." - Ayush Raj Jha, Oracle
3. Scenarios must be built around your actual environment, business priorities, and past incidents, not generic ransomware templates. - Jason Stading, MBA, CISSP, ISG
4. When attack chains feel technically implausible, essential stakeholders disengage. "The stakeholders simply view the activity as a waste of time." - Blake Cifelli, GuidePoint Security
5. Scripted "happy path" exercises test process recall, not decision-making under pressure, "which is where most failures actually occur." - Ensar S., SOCRadar
6. Response plans fall apart at the handoffs the tabletop never tested: cloud-to-SOC coordination, M&A integration environments, third-party vendor entry points. - Aparna H., Amazon
7. After every exercise, capture where decisions stalled, where ownership was unclear, and which voices were missing. Use those gaps to build the next scenario. - Jason Stading, MBA, CISSP, ISG
Most tabletops test whether your team has read the plan. Not whether they can execute it under pressure.
Reflex Security makes meeting these requirements possible.
Full article: 7 tabletop exercise mistakes that sabotage incident response
