Editor’s note: This article, originally published in 2006, has been updated to reflect recent trends.
A tabletop exercise is an informal, discussion-based session in which a team talks through their roles and responses during an emergency, walking through one or more example scenarios. It’s a great way to get business continuity plans off the written page without the interruption of a full-scale drill: rather than actually simulating a disaster, a group within the company gathers for a few hours to talk through a simulated crisis.
The exercise is increasingly a staple of IT security preparedness programs. “I find that companies who have a healthy respect for their cyber risk are the ones doing tabletops,” says Dan Burke, Senior VP and National Cyber Practice Leader at Woodruff Sawyer. “Designing an incident response plan is beneficial, but putting it to the test will give you the practical insights that only come from experience.”
If you’re new to the idea of tabletop exercises and want a solid overview of what’s goes into one, check out our in-depth explainer on the topic. But if you have a handle on the basics and are thinking about how you can most effectively implement a tabletop exercise at your own organization, then read on. We’ve collected some tips on best practices from a range of security pros, who have also helped us put together some example scenarios that should give you some ideas for your own exercises.