A few years ago, I was on a cruise when I struck up a conversation with an elderly couple. He told me he had been a junior engineer at NASA during the Apollo missions. Naturally, I was fascinated and peppered him with questions. One story in particular has stuck with me ever since, and it perfectly illustrates why I take tabletop exercises so seriously in cybersecurity.
He explained that on Friday afternoons, the NASA engineering team would grab a beer and run through tabletop scenarios. They’d sit around and ask, “What could go wrong during a mission?” One Friday, a senior engineer suggested running a scenario where three things failed at once. The junior engineers balked. “That would never happen,” they said. “It’s too far-fetched.” But they ran the exercise anyway. In their simulation, the astronauts didn’t make it. That failure turned out to be one of the most valuable lessons the team ever had.
When Apollo 13 launched, the unthinkable happened. Multiple systems failed in sequence, and the crew’s lives hung in the balance. Because the team had walked through a similar scenario they knew what wouldn’t work. That knowledge pushed them to find a different solution, and ultimately, it saved the astronauts’ lives.
That’s the essence of a tabletop exercise: preparing for the worst so you’re not improvising in the middle of a crisis.
What a Tabletop Exercise Looks Like in Business
In cybersecurity, a tabletop exercise is a practice session for your incident response plan. It’s not theoretical or abstract; it’s a simulation of real-world scenarios that could cripple your business.
We gather the key players in a room such as the CFO, legal counsel, communications, IT leadership, and often the CEO. Then we run through a scenario. Maybe it’s ransomware that locks down your systems. Maybe it’s a fraudulent transfer of millions of dollars to a fake vendor. Everyone walks through what they would do, step by step, as if it were happening in real time.
- Legal considers compliance obligations and potential liability.
- Communications drafts statements for employees, customers, or the press.
- Finance evaluates how to contain losses or notify insurers.
- IT and security decide how to isolate, investigate, and remediate the incident.
The exercise exposes who has authority to make critical decisions, whether backup systems are sufficient, or if communication lines break down under stress.
Why It’s Critical
Why It’s CriticalThe time to discover flaws in your response plan is not when you’re under active attack. During an actual incident, every minute costs money, reputation, and sometimes legal consequences. A tabletop exercise gives your team the chance to fail safely, to ask the uncomfortable “what if” questions, and to rehearse working together under pressure.
Just like the Apollo engineers, we may never be able to predict exactly what will go wrong. But if we’ve practiced, tested our assumptions, and discovered what doesn’t work in a safe environment, we’re far better prepared to respond when the real crisis comes.
For me, that’s why tabletop exercises aren’t optional. They are as essential to business resilience as backups, firewalls, or insurance. They turn “we hope we’re ready” into “we know what to do.”
How a vCSO can help
Tabletop exercises are one of the best ways to show just how valuable proactive cybersecurity planning can be. The challenge? Many organizations know this, but still struggle to run these exercises regularly or don’t have the in-house expertise to make them truly impactful.
If your Calgary or Toronto-based organization sees the value but could use some guidance in building realistic incident response scenarios or facilitating meaningful tabletop discussions, I’d love to help bridge that gap.
Schedule your cyber assessment below.
