Ethical Tabletops: Analysis for Every Team

The first time I ran a tabletop exercise, I was terrified. I had been part of several in the past, participating in pulling documentation and providing input on the way a threat actor might access a certain server. This time was different.

Tabletops are an unusual beast for security practitioners. We usually stick to the quieter spaces of tech and, like helpdesk analysts/technicians, we tend to be quietest when we're doing our job correctly. Tabletop exercises are where that all changes - we are seen by the entire company, leading a charge against our own machines and processes, pointing out flaws an inaccuracies for teams that we don't interact with often. We step on toes, so to speak.

I looked down at the notebook I had before me. By this point, I was still quite new to the security industry, having graduated only a few years before, and had been asked to run the tabletop with very little time to prepare the scenario. I had spent several days deciding on incident topics, notating teams, creating planning documents. This organization had never run a tabletop before themselves - I was creating a process for it, and I was nervous.

When the attendees arrived, they were very clearly not expecting much to come out of this exercise. To me, this was a big step forward in my career. To them, it was Wednesday and they were just asked to come to a meeting with a lot of their distant peers by a security practitioner that they had only just started to know the name of.

This is where the talk about tabletop 'comfort' comes in. When running any security exercise, by nature, you're bound to step on the toes of the team who built the system, process, application, or any other resource that comes into play. Your job is to find vulnerabilities, compliance gaps, or other markers of insecure practices - this isn't to point fingers, but to then address and improve those same resources. Unfortunately, it doesn't draw the best attention to the security team when done improperly.

In a past tabletop, I had watched a senior member of the team take the wrong tone when uncovering a lack of processes with another team. He made a snarky comment about a project that they had been focusing all of their time on, implying that they should have been working on these processes instead. They weren't as keen on attending the next tabletop a few months later.

As I thanked the growing crowd for attending, I remembered that moment and made a promise to myself. I would conduct this exercise with as much compassion for those attending as possible while gaining as much information on the processes and systems of most concern.

We started talking about the topic - ransomware. I went over a brief explanation and started diving in, asking questions to each team and providing them with a resource and process sheet. We were all gathered for a long time - about 4 hours - but in the end, it was worth it.

"This one is missing, but I think we'll be able to get it completed quickly if we can push it to the front of our queue," one member of the HR team said regarding an onboarding process. They were an organization that was frequently plagued by undocumented knowledge, having many users that simply kept processes in their head from many years of experience. I noted the process and asked a few more questions about its exact purpose, then looked at my compliance sheet. We had closed several sizeable gaps by addressing this process alone, and I could practically hear the sigh of relief from our auditors on the next review.

By the end of the tabletop, we had an enormous spreadsheet of documentation - improvements, missing documentation, and the section that I had made a point to add in about documentation 'kudos'.

This was something that I always realized coming out of tabletops in the past. I felt icky, exposed - like all of our processes had been thrown back in my face. There was almost never a sunny side to the ones that I had attended (outside of free donuts).

After reviewing the missing documentation and documentation needing improvement, we reviewed the 'kudos' doc. I had written down pieces of documentation that had been reviewed and were impressive - they had taken obvious effort and care to put together, fulfilled large compliance requirements, or were very regularly updated. I provided an anonymous survey on the tabletop and received some improvements of my own, which I then applied to my later exercises.

That year, we scored much higher on compliance assessments than in the past. The security team that I worked with received more questions than we ever had before, about the tabletop and about other topics entirely.

Since that time, I've performed tabletops at every kind of company imaginable and have loved the process every time. Knowing how much benefit they can bring is an amazing and satisfying thing.