Cybersecurity Crisis Response Tabletop Exercises: What Works, What Does Not, and Where it Can Really Go Wrong
When a cybersecurity incident hits, it is no surprise that organisations tend to fare better if they have prepared and practised their cybersecurity crisis response plans in advance. Tabletop exercises play an invaluable role in an organisation’s overall cybersecurity preparedness programme. In addition to the benefit of helping bring hypothetical crises to life, regulators expect, and – depending on the jurisdiction – may even require organisations to conduct cyber training and tabletops. Cybersecurity insurers have joined the bandwagon, encouraging, if not requiring, such exercises for their insureds as a prerequisite to coverage.
While having plans on paper is important, it is equally important to practise working cross- functionally, escalating key issues, making decisions and managing a large volume of inquiries and competing priorities during a cyber crisis. Tabletops and simulations give teams a front row view into how incident response plans function or fall. Until plans are pressure tested in the most realistic ways possible, they remain some- what academic exercises. There is a feeling that comes with seeing a company’s name and a countdown clock on a mock threat actor shame site that simply brings a plan to life. And while preparedness plans are typically developed in a small working group without the executive teams, tabletop exercises can bring the executives to the table and provide valuable insights into the way they will respond to an active cyber crisis.
Is the CEO a dealmaker, inclined to dive into negotiations with a ransomware group to extract the best possible value for a decryptor tool and/ or suppression of exfiltrated data? Are they fuelled by patriotism, ready to stand their ground and refuse to pay cyber criminals because they “do not negotiate with terrorists”? Or are they a pragmatist, inclined to take the temperature of their executive team and the counsel of veteran advisors? The answer to these questions and many more can (and should) be learned in a tabletop before the real crisis hits.
Related Solutions
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2025 FTI Consulting, Inc.
All rights reserved. fticonsulting.com
