{"id":5349,"date":"2025-10-14T07:00:00","date_gmt":"2025-10-14T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5349"},"modified":"2025-10-14T07:00:00","modified_gmt":"2025-10-14T07:00:00","slug":"cisos-must-rethink-the-tabletop-as-57-of-incidents-have-never-been-rehearsed","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5349","title":{"rendered":"CISOs must rethink the tabletop, as 57% of incidents have never been rehearsed"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Nearly three out of every five (57%) significant cyber incidents involve attacks the cybersecurity team had not prepared for, suggesting CISOs need to re-evaluate \u2014 and in some cases recommit to \u2014\u00a0their tabletop strategies.<\/p>\n

According to the Cytactic 2025 State of Cyber Incident Response Management (CIRM) Report<\/a>, which surveyed \u201c480 senior US cybersecurity leaders, including 165 CISOs,\u201d that 57% figure \u201creveals a major vulnerability. Organizations often train for known threats like ransomware, but these incidents prove that the real chaos comes from the unexpected.\u201d<\/p>\n

As a result, security teams may be ill-equipped to handle novel threats if they don\u2019t continuously refresh their tabletops, the report concluded. \u201cThe true benefit comes from the ability to make these exercises relevant and realistic,\u201d according to the report. \u201cBy building simulations that are tailor-made to the organization, industry, sector, risk, and threat profile, these exercises become more than just a security drill. They transform into a critical tool for alignment across the entire business.\u201d<\/p>\n

Analysts and cybersecurity consultants see multiple problems with how enterprises conduct tabletops<\/a> and other preparation exercises, ranging from not getting realistic enough to testing grand but unlikely attack scenarios.<\/p>\n

One consultant, who asked that his name not be used, gave an example of a recent tabletop where the enterprise had purchased burner phones for all relevant personnel so that they could communicate securely in case the attacker was monitoring communications.<\/p>\n

In the attack exercise, management insisted on participants actually using their burners in the run through only to find that many employees took a long time to find the burner phones because they didn\u2019t remember where they were hidden.\u00a0<\/p>\n

In another instance, SOC staffers found the lists of people that need to be contacted during a major breach. But when the CISO insisted the team actually call, message, or email those contacts, they discovered that many of the phone numbers or messaging addresses were disabled.\u00a0<\/p>\n

\u201cIt really is impossible to prepare specifically for an attack,\u201d says Will Townsend<\/a>, a VP and principal analyst at Moor Insights & Strategy. \u201cYou can have the best plan, but bouncing emails and not being able to find the backup phones, that\u2019s a problem.\u201d<\/p>\n

Focus on roleplaying smaller attacks<\/h2>\n

Vincent Stoffer<\/a>, CTO for security vendor Corelight,suggests CISOs focus more on smaller breaches rather than massive attacks.<\/p>\n

\u201cMany tabletop exercises specifically focus on the technical elements from the bottom up [and] over-index on dramatic breaches rather than realistic adversary tactics,\u201d Stoffer says, adding that, regardless of the size of the attack, most cybercriminals prefer subtle tactics that are often not anticipated.<\/p>\n

\u201cAttackers more often succeed through subtle behaviors like lateral movement or quiet data exfiltration that don\u2019t get simulated enough,\u201d Stoffer says. Attackers are \u201cgoing to use whatever methods will get them access to the objective, usually the crown jewels, complete compromise of an Active Directory, identity server, PII, etc.\u00a0They may start very slowly and methodically to avoid detection, or they may use well-worn but generally less alarm raising techniques for initial access like phishing or credential harvesting.\u00a0Once they have established a foothold in the organization, they can move quickly and quietly using the knowledge they\u2019ve gained in the environment, the observed tools, etc., to avoid triggering alarms.\u201d<\/p>\n

What he sees most enterprise cybersecurity teams testing, however, is quite different.<\/p>\n

\u201cContrast this with a simulated exercise that relies more on a hypothesis or specific trigger like an alert that a host has been infected with malware. While it\u2019s still testing the system and process for IR [incident response<\/a>], it\u2019s going to generally require less critical thinking, exploration, and discovery to play out the scenario,\u201d Stoffer points out. \u201cThis leads to further trotting the well-worn path that the SOC team knows and understands, which while still helpful as an exercise, I would argue that more is gained by approaching the exercise using more subtle and realistic attack methods.\u201d<\/p>\n

Jeff Pollard<\/a>, VP and principal analyst at Forrester, stresses that working through the details of contacting people is often overlooked.\u00a0<\/p>\n

\u201cThe problem with tabletops is that we try to do too much at once,\u201d Pollard says, suggesting a focus on things such as \u201cthe CISO is on a plane and can\u2019t talk right now. Do we have to talk with customers? How many calls does the CEO need to be on? Can we use the COO for some of those? What about partners?\u201d<\/p>\n

Pollard also echoes concerns about burner phone problems. \u201cWe bought everyone burner phones, but do we know where they are? Are they charged? Do [staffers] know the number of their burner phone? In case of a full system outage, did someone think to store paper?\u201d<\/p>\n

Erik Avakian<\/a>, technical counselor at Info-Tech Research Group, sees a lot of enterprises practicing tabletops for the wrong reasons.\u00a0<\/p>\n

\u201cA lot of these folk are only doing it once a year and sometimes they are just doing it for their compliance and insurance, just as a checkbox,\u201d Avakian observes. He encourages CISOs to \u201creally play it out\u201d and to match the tension, stress, and timing of an actual attack. \u201cEveryone has their breaking point. We need to learn those things.\u201d<\/p>\n

Future-proof attack scenarios<\/h2>\n

As for the central problem of not knowing what kind of attacks to plan for, Avakian suggests using internal teams or partners to roleplay the most likely attack vectors. To save money, he encourages enterprises to partner with universities for imaginative threat planning and to work with vertical-specific ISACs<\/a>.\u00a0<\/p>\n

Ivan Shefrin<\/a>, executive director for managed services at Comcast Business, offers specific suggestions on the kinds of attacks where he would encourage exercises to focus.<\/p>\n

\u201cTraditional training exercises tend to focus on familiar threats or perimeter attacks, but we\u2019re seeing attackers constantly find new ways to breach corporate networks. Take low-effort, drive-by compromises. They require no user interaction beyond visiting a malicious site, bypassing awareness training entirely, which is why technical controls remain mission-critical,\u201d Shefrin says.<\/p>\n

\u201cThen there are high-speed, short-burst DDoS attacks, which probe and test defenses without setting off alarms. We observed increased use of these attacks, with many lasting fewer than 10 seconds,\u201d he adds. \u201cWe also noted a surge in carpet-bombing DDoS, where attackers spread traffic across multiple IP addresses or subnets simultaneously to complicate mitigation. Such attacks can evade defenses that focus on a single IP while overwhelming networks in aggregate.\u201d<\/p>\n

Brian Levine<\/a>, a former federal prosecutor who today serves as the executive director of a directory of former government and military specialists called FormerGov, says CISOs need to get comfortable with the fact that these tabletops \u201care going to be more reactive than proactive because we can speculate what the next thing is going to be, but we might be wrong.\u201d<\/p>\n

Some specific advice from Levine is to not assume that the enterprise is always going to be the target. Roleplay scenarios where different global partners are attacked, he says. \u201cYour options [with a partner being attacked] may be more limited, but you still have options.\u201d<\/p>\n

Levine also encourages CISOs to relax and not panic that they can\u2019t test everything. \u201cYou\u2019re not going to be able to test every scenario through a tabletop,\u201d he says. \u201cBut by testing some, you will build muscle memory.\u201d<\/p>\n

See also:<\/p>\n

Tabletop exercises explained: Definition, examples, and objectives<\/a><\/p>\n

How to conduct a tabletop exercise<\/a><\/p>\n

4 tabletop exercises every security team should run<\/a><\/p>\n

Tabletop exercise scenarios: 3 real-world examples<\/a><\/p>\n

6 tips for effective tabletop exercises<\/a><\/p>\n

Security simulations: This is only a test<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Nearly three out of every five (57%) significant cyber incidents involve attacks the cybersecurity team had not prepared for, suggesting CISOs need to re-evaluate \u2014 and in some cases recommit to \u2014\u00a0their tabletop strategies. According to the Cytactic 2025 State of Cyber Incident Response Management (CIRM) Report, which surveyed \u201c480 senior US cybersecurity leaders, including […]<\/p>\n","protected":false},"author":0,"featured_media":5350,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5349"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5349"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5349\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5350"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}