Skip to main content
close search
site logo
Dive Brief

Tabletop exercises can exceed $50K, limited to annual testing

Published Aug. 17, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
laptop, coding, code, cybersecurity
Rangel, David. [photograph]. Retrieved from https://unsplash.com/photos/4m7gmLNr3M0.

Dive Brief:

  • Tabletop exercises are used most frequently to prepare companies to respond to cyberattacks, however only one-third of organizations perceive the exercises as "highly effective" for preparation, according to a July study by Osterman Research in association with Immersive Labs, a company that develops human-readiness skills in cyber.
  • Two-thirds of organizations perform tabletop exercises once a year or less, while 23% of organizations conduct them "without any sort of set schedule," according to the report, which surveyed more than 400 cybersecurity professionals with experience in tabletop exercises. Researchers concluded most organizations are likely performing tabletop exercises "less often than necessary" for meaningful cyberattack readiness. 
  • The majority of organizations spend an average of $30,000 per tabletop exercise, but 20% spent more than $50,000 on their most recent test. The price tag is largely based on how many employees participate in the exercise; half of the survey respondents said more than 10 people are involved in each exercise. 

Dive Insight:

The fallout of a cyberattack is often measured by how well the victim company responds. 

Tabletop exercises most commonly test for business continuity, followed by brand reputation, an organization's liquidity, and share price, according to the report. 

The more often organizations engage in tabletop exercises, the more likely they are to practice a variety of response scenarios. However, because exercises aren't performed often, the most common tabletop scenarios are based on data breaches, ransomware attacks, and phishing attacks. Only 15% of organizations conduct five or more different attack scenarios, according to the report. 

Sixty percent of respondents say to truly be better security, they need to buy more technology. But the board controls the purse strings, and it need to understand their ROI, whether for new technologies or more frequent tabletop exercises.

"The most important aspect of any crisis preparedness scenario is getting C-suite level buy-in. Without this, nothing happens," said Max Vetter, chief cyber officer at Immersive Labs. Because tabletop exercises are so expensive, organizations need quicker response times to prove to board members their necessity.

By adopting micro-drills, companies can delegate cross-section teams, or teams where expertise is divided into smaller groups. Micro-drills could facilitate more scenarios if an organization isn't conducting many tabletop exercises or different scenarios.

"It is crucial that teams switch thinking from being able to respond to a few set scenarios, to building the muscle memory," that allows them to respond to any kind of cyberattack, said Vetter. 

Recommended Reading

Filed Under: Security, Leadership

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell