Before the Incident: Lessons from a Cyber Security Tabletop Exercise

By Steve Sharer

Twenty minutes into the tabletop exercise, the dice came back out. 

I was co-presenting a simulated incident response tabletop exercise with NGO-ISAC at an event we hosted with the Technology Association of Grantmakers. Sixty leaders from nonprofits, foundations, and advocacy organizations had formed small groups of four to six. None of them were sitting with their own colleagues. Each group had rolled to determine their scenario and talked through the initial situation for about fifteen minutes. Then the third roll dropped a complication on top of everything they had already decided. 

You could feel the tension in the room. Shoulders hunched and conversations got faster and quieter. A few groups stopped and stared at their packets for long moments before someone broke the silence and asked what they should do. 

That moment—the one right after the complication is introduced—is where the value of preparation in the event of a nonprofit cyber security breach shows itself. 

What the Room Reported Back

After we concluded the exercise, I asked the participants what they noticed. Every group identified the same patterns.

The most challenging part of responding to their incident, groups noted, was the lack of context. They had to make decisions with partial information while the clock kept counting down. The pressure felt real even though the incident wasn't. 

The complications I added at predetermined points changed how groups communicated, both internally to staff and externally to communities, the press, and law enforcement. One specific complication created tension around how the organization handled the incident, which created distrust among the staff. Participants noticed that an organization's structure and culture shape its incident response as much as any technical control. 

What surprised them most was how stressful the exercise was, even though it was a simulation. They also weren't expecting the complications to compound: each new piece of information added a task, reframing everything they had already decided. 

When I asked what they were taking back to their organizations, two main answers came up. The participants wanted to run a similar exercise with their own teams. They also wanted to work through a self-assessment RipRap distributed at the beginning of the event to figure out which preparation activities made the most sense for their organizations. 

The Two Halves of Incident Preparation

Watching the room work through the exercise reinforced something I tell partners. Incident preparation is two distinct activities, and you need both. 

Step 1: Write an incident response plan. This is the document that says what you will do, who will do it, who needs to be contacted, and in what order. It includes the boring logistics (who has the after-hours phone tree, where the contact list lives) and the harder questions (when the board should be notified, what to communicate publicly, how and when to notify the cyber insurance provider, when to engage law enforcement). A plan written in calm conditions is the only kind of plan worth having. Trying to figure out an incident response process while you're in the middle of an incident is the wrong time to do it, costing the organization time, clarity, and money. 

Step 2: Practice the plan through a tabletop exercise, then update it based on what you learned. This is where the plan meets reality. You may discover that a key contact's role has changed or confusion in who is handling external communications. You might notice that your plan doesn't address a board member‘s requests for hourly updates. None of that is a failure. It's the point. 

The order matters. A tabletop exercise without an incident response plan results in stress, with no tangible document to improve upon. A plan that is never practiced is just an out-of-date document, not a capability. 

There is a second value in the exercise that only shows up after you run it more than once. The practiced response gets faster and steadier. Decisions that took twenty minutes the first time take two-thirds the second because the team has moved through them before. 

What the Exercise Surfaced About Preparation Itself

A few broader observations from the room: 

The scenarios both started in the digital world and quickly spilled into the physical and political ones. Leaked documents drew donor pressure, hostile press coverage and social media posts, as well as outreach from regulators. A staff member's detention at a public demonstration drew threats against other employees, unannounced visitors at the office, and a board member speaking publicly on social media. Incident response rarely stays in one lane for long. The plan has to be flexible and adaptable as the situation evolves. 

How an organization communicates during an incident shapes how it is remembered afterward. Preparation is what makes clear, trustworthy communication possible. Without a plan, the communications response is improvised under the worst possible conditions, which could lead to mistakes and make the public response slower and clumsier. 

The goal of preparation is to turn a lack of clarity and a low hum of anxiety about incidents into a plan of action that can be implemented under pressure. That is the whole point of an incident response tabletop exercise.  

Funders, partners, and third parties belong in the planning process. Many of the participants worked at organizations whose response to an incident need to involve grantmakers, technology vendors, or coalition partners. Building those relationships into the plan before the incident is dramatically easier than trying to coordinate multiple stakeholders during a crisis. 

Who is in the room shapes what you learn from the exercise. At our event, we deliberately asked participants to form groups with people they didn't know. No one sat with their own colleagues, which helped us uncover how different organizations think under pressure, what assumptions are made when you can't fall back on shared shorthand, and who you might call the next time something goes sideways. 

When we facilitate a tabletop at your organization, the design changes. We recommend working through the exercise with decision-makers who would take charge of the response during a real incident. Invite leaders from operations, communications, legal, and technical. The people who would talk to your funders, partners, and grantees if those emergency calls had to communicate the news and next steps should participate. If the people participating in the exercise are also the people who would run the response, the exercise will have a greater impact. 

Building and maintaining relationships, inside and externally, is one of the most underrated parts of incident preparation. The people you trust in a crisis are the people you already know. 

Where That Leaves Us

If your organization doesn't have an incident response plan yet, it’s imperative to write one. If you have one, read it again. Ask your incident response team to read it. 

Once the plan exists, schedule the exercise. It does not need to be elaborate. A ninety-minute session with the right people in the room and a scenario that feels plausible will surface more than you expect. 

And then update the plan. That's the process: plan, practice, update, repeat. The organizations that handle incidents well are the ones who treat preparation as something worth doing more than once.