CYBER WAR GAMES: How to use tabletop exercises to generate the right questions to ask your cyber team.

• Author: Lyman, Rob

Business leaders consistently rank cybersecurity as one of their top concerns. For top companies, cyber capabilities have to be considered a competitive differentiator. They have moved past being a cost center and are no longer just a strategic business enabler. The risks of a cybersecurity breach in lost business revenue, customer dissatisfaction, lost intellectual property and brand reputation mean cybersecurity will continue to be an important board agenda item.

In the 2022 NACD Public Company Board Practices and Oversight Survey, board members highlighted consistent challenges with cybersecurity governance. These include reviewing critical data assets, cyber threats, response plans in case of a breach and communications following a breach. The ability to ask the right questions in these areas remains critical to effective board governance.

THE VALUE OF TABLETOP EXERCISES

The tabletop exercise used by military organizations is a valuable framework for board members to shape questions on cybersecurity posture for a company's leadership team. Military organizations use tabletop exercises to familiarize senior leaders with current security gaps and mitigations and to inform future resource application decisions.

Many think of a tabletop exercise as the senior leadership team literally sitting around a table discussing scenarios. While that is a part of the process, preparation is required to maximize the value of invested time. A typical tabletop exercise has several phases.

* Baseline. Ensure a common understanding of the company's current cybersecurity posture, recovery procedures and partnerships.

* Threats. Review internal and external cyber threats to the organization, their capabilities and expressed intentions.

* Scenario review. Understand how the most likely and most dangerous scenarios could play out for the company.

* Risk discussion. Given what is learned in previous phases, come to an understanding of the level of acceptable risk for the organization, and how that compares to the current state.

* Follow-up on actions. Document any action items to be addressed moving forward.

KNOW THE ORGANIZATIONAL BASELINE

Military organizations will typically use a series of shorter meetings, referred to as "road to war" briefings, leading up to a longer tabletop session to create a common understanding of the organization's baseline and review threats. For cyber scenarios, this includes validating that the organization has prioritized...