Tabletop exercises enable organizations to analyze potential emergency situations in an informal environment, and are designed to foster constructive discussions among participants as they examine existing operational plans and determine where they can make improvements.Such exercises seem like a natural for information and physical security, because they provide a forum for planning, preparation and coordination of resources during any kind of attack.\u201cTabletop testing generally takes the form of a discussion-based exercise, and involves reviewing roles,\u00a0responsibilities and response\u00a0efforts required to respond to a given\u00a0security\u00a0incident,\u201d says Jay McLaughlin, CSO and senior vice president at Q2, a provider of software for the financial services industry.Six tabletop testing tips:Take the time to prepare for the exerciseInvolve multiple parties from throughout the organizationMake sure the participants know the ground rules of the exerciseLeverage resources from within your industry and the governmentWhen exercising, broader can be betterMake the scenario as realistic as possible\u201cTesting tends to provide a high-level estimate of the potential for success in the event of such an incident,\u201d McLaughlin says. \u201cThe major benefit of using these types of exercises is that they provide real scenarios in a\u00a0non-threatening, non-disruptive format\u2014and can be rather economical to conduct. The goal\u00a0[is] that\u00a0participants and management become more aware of possible gaps or weaknesses that may exist in the\u00a0incident response plan.\u201dBut what are the best practices for using security tabletop exercises? We asked some security executives to weigh in on the topic and here are a few of their suggestions.Take the time to prepare for the exercise. \u201cPreparation is a critical key to success in these exercises,\u201d McLaughlin says. \u201cDuring the planning phase, the objectives, scope, and participants must be determined.\u201dThis is often the most time\u2013consuming phase of planning for the exercise itself, but will ensure that the exercise is valuable, McLaughlin says. \u201cWhen\u00a0conducting the exercise, it is\u00a0important\u00a0that the\u00a0facilitator enforces boundaries and helps guide the conversation, to prevent the group from going down the proverbial rabbit hole, which can often derail the exercise,\u201d he says.Conversations should be focused on the efforts required for detection, containment, eradication and recovery from an incident, McLaughlin says. Following\u00a0the exercise, a post-incident summary of the\u00a0activities should be\u00a0documented and reviewed, he says. This review should capture lessons learned, as well as what could be done to improve the overall response\u00a0efforts\u00a0of future incidents.\u00a0Involve multiple parties from throughout the organization. Develop a list of business function leaders from across different areas of the company that will be part of the table exercises team in addition to those from security.\u201cA tabletop exercise allows you to not only test your incident response capability, but it gives you the opportunity to coordinate across various teams including human resources, communications, legal, compliance, IT, physical security, etc.,\u201d says Mary Chaney, senior team leader, Incident Response & Data Management, at GE Capital Americas, a financial services unit of General Electronic Co.\u201cThe problem that we as security professionals face is the lack of visibility until something bad happens,\u201d Chaney says. \u201cA tabletop exercise gives you the ability reach out in a non stressful environment to ensure the relevant parties are engaged timely and appropriately. Most importantly, [other] business leaders actually know your name and that you are there to help.\u201dInvolving business leaders in tabletop exercises \u201calso gives senior leadership comfort in knowing that we are doing something to test our response and communications capability,\u201d Chaney says. It\u2019s a good idea to draft a report of the findings \u201cand share it with all relevant stakeholders,\u201d she says. \u201cSeek assistance with addressing gaps in the process and take the time to solidify who actually has decision making ability, before the crisis happens.\u201dHaving others from outside security sitting in on a drill can provide \u201ca level of awareness as to why [information security] imposes controls that prior to the drill may have been viewed as excessive,\u201d says Mark Olson, director of information security at Iron Mountain, a provider of storage and information management services.\u201cBy running a drill that follows an attack from drive by to a simple compromise of a desktop followed by a sideways attack on a server, [security] starts to make sense,\u201d Olson says. \u201cSuddenly, the [information security] approach and program philosophy are no longer a \u2018sky is falling\u2019 theory but has a tangible\u00a0risk reduction purpose. The tabletop exercise is the opportunity to demonstrate the purpose and value of our InfoSec program.\u201dMake sure the participants know the ground rules of the exercise. \u201cCommunicate what is in scope for the exercise and out of scope,\u201d says Elayne Starkey, CSO for the State of Delaware.\u201cParticipants get frustrated if the ground rules aren\u2019t explained or provided to them before the exercise,\u201d Starkey says. \u201cFrustration can lead to those individuals having a negative experience during the exercise, and could result in them not getting a lot of value from the exercise.\u201dParticipants could then decide that exercises are a \u201cwaste of time\u201d and not volunteer to participate in others, Starkey says.\u00a0\u201cIn our exercises, each participant receives a copy of the official ground rules,\u201d she says.Participants get frustrated if the ground rules aren\u2019t explained or provided to them before the exercise-Elayne Starkey, CSO for the State of DelawareEnsure that the participants know how to communicate during the exercise.\u00a0\u201cFor example, are they to simulate communications or should they actually communicate their decisions to other individuals that are participating?\u201d Starkey says.Leverage resources from within your industry and the government. Some industry organizations provide services to help companies conduct tabletop exercises.For example, the Financial Services\u2014Information Sharing and Analysis Center (FS-ISAC) is a financial services industry forum for collaboration on critical security threats facing the global financial services sector.GE Capital Americas belongs to FS-ISAC, Chaney says. \u201cThey have several different types of tabletop exercises that are facilitated by them, which cover various types of scenarios,\u201d she says. \u201cThe exercises are designed to test internal and external response capabilities.\u201dIn a recent exercise with FS-ISAC, GE Capital tested communications inside its environment and determined at what point an event rises to the level where the company should communicate with other FS-ISAC members.It\u2019s also a good idea to invite outside agencies from federal, state and local government to participate. There are two reasons to do this, says Robert Connors, director of preparedness, Wounded Warrior Project Partnership at Raytheon Co., a provider of electronics, defense, communications and other systems.\u201cFirst, to get to know them and for them to get to know your environment before a crisis occurs,\u201d Connors says. \u201cSecond, so they can learn from you and share best practices with you. It's a mutually beneficial partnership.\u201dWhen exercising, broader can be better. When structuring a tabletop it\u2019s important to scope the breadth of the exercise, Olson says. \u201cWhen running a drill from detection through customer and public disclosure, a wealth of knowledge of your program is presented,\u201d Olson says.\u201cIn the InfoSec world we typically view drills as the opportunity to validate our processes and procedures,\u201d Olson says. \u201cIn a drill that runs through to handling the public disclosure you gain much more. It provides a view into the organization\u2019s understanding of information security. It gives insight into how effective your security awareness training program is.\u201dMake the scenario as realistic as possible.\u201cPeople tend to try to \u2018fight\u2019 the scenario,\u201d Starkey says. \u201cIf it is a realistic scenario or event that is simulated, the fighting doesn\u2019t occur. Invite subject matter experts to the planning team to accomplish this.\u201dFor example, a recent exercise in Delaware was a cyber attack on the power grid, \u201cand we included a rep from our largest utility to help write the exercise injects,\u201d Starkey says.