What is an Incident Response Tabletop Drill?

Tabletops are just what you would think. A bunch of people sitting around a table talking about an incident scenario. It is not a real scenario, but it does need to be realistic. Think about a fire department having a tabletop where they are testing their plan to respond to a fire. They would review each team members roles and responsibilities. They would check to make sure they had all the appropriate contact numbers for other nearby fire departments, police, hospitals, and other first responders. Most importantly, they would test their plan to make sure each team member knew what to do so the team could snap into action when needed. A B2B SaaS incident response tabletop drill is not that much different.

Aren’t tabletops just for IT?

Most incident response tabletop drills (also referred to as exercises) include specific simulations like a ransomware attack holding data hostage or a breach by an intruding bad actor. These are both excellent drills, but they don’t always cover the basics necessary for a B2B SaaS team to respond effectively and efficiently to an incident. These two very specific simulations focus heavily on technology while a comprehensive tabletop includes truly testing the full incident response plan.

“Incidents can kick in both the Business Continuity Plan and/or the Disaster Recovery Plan

Incidents can kick in both the Business Continuity Plan and/or the Disaster Recovery Plan. To be a comprehensive tabletop drill, these alternatives should be considered when building a simulation scenario. For instance, losing DNS to your SaaS application used for the product serving your customers is an incident that needs to be drilled. It will most likely initiate the Disaster Recovery Plan. It is probably not going to be a business continuity event. If the DNS outage knocking down your SaaS application was an AWS or Azure DNS outage impacting other services like your CRM or VOIP system, then the Business Continuity Plan might also need to be enacted.

Who sits at the table?

When taken in the context of a full incident response team event drill, it is much simpler to embrace the need to drill all plan components, not just IT. Going back to the fire department example, for a B2B SaaS provider, there are many similarities. The tabletop drill will consist of reviewing the team member roles and responsibilities. While reviewing roles is normally not part of the drill itself, it is part of the training needed to have an effective drill. Roles will include at least the following:

  • Incident team leadership
  • IT triage and troubleshooting
  • IT forensics analyst
  • Event tracking and record keeping
  • Internal company communications
  • External customer communications
  • External third-party communications

Lessons Learned

A tabletop drill is not complete until a detailed after-action review is conducted to create an artifact of lessons learned. It is common for tabletops to drive several new actions. Specific policies might need to be reviewed and updated. Contact lists may be out of date and need revisions. New tools may be identified for triage and forensics. Team backups may need expanded. No question, the lessons learned are the most important part of a tabletop drill.

Photo credit to Benjamin Child.

If you need help thinking through this or other leadership challenges, let’s have a discussion to see if I can help in some way.

Scroll to Top