Skip to main content
  • About CIRA

Cybersecurity tabletop exercise: testing to protect your organization against cyber threats

By Mark Brownlee

Ask anyone who plays a musical instrument, takes part in a sport or has a hobby and they’ll tell you the same thing:

Practice is important.

The same is true for organizations when it comes to cybersecurity—you need to know how you will respond when you are under attack.

But unlike with sports, you can’t just grab a ball and heave some shots in the driveway.

That’s where a cybersecurity tabletop exercise comes in.

Here are three reasons why your company should consider taking part in one.

It forces you to develop (and test) a cybersecurity plan

One of the big benefits of a cybersecurity plan is also the simplest.

About 82 per cent of organizations in Canada have a cyber incident response plan, according to CIRA’s 2022 cybersecurity survey.

That may look pretty good. But a deeper dive into the numbers shows the results are not what they seem at first glance.

There are still 18 per cent of organizations that either don’t have a plan or aren’t sure if they have one.

Of the 82 per cent that do have a plan, only 37 per cent have what they would call a comprehensive plan—the other 45 per cent have what they describe as a basic plan.

Where does a cybersecurity tabletop exercise come into this?

Committing to doing a tabletop exercise might be the carrot (or, possibly, the stick) your organization needs to finally put together an incident response plan.

Or, for those who have a basic plan, upgrading to a comprehensive one.

It shows you where the gaps are in your cyber defences

Cybersecurity is a shared responsibility.

Sure, there might be certain departments within an organization that take the lion’s share of work when it comes to erecting defences against cyber threats (winking at the IT department here).

But this obscures the fact that you can’t keep an organization secure unless everyone is actively working to combat cyber threats.

For example: the leadership team needs to set the direction for the overall organization so cybersecurity is a priority, and the finance department would need to participate if you were the victim of a ransomware attack.

Just look at cybersecurity awareness training, which is one of the best ways you can combat cyber threats in your organization. For it to be effective, you need everyone in the organization to take part in training on a regular basis.

The problem is that there aren’t a lot of opportunities to pull together different parts of an organization to talk cybersecurity and go over plans.

A cybersecurity tabletop exercise does exactly that.

It pulls together the disparate elements of an organization to discuss how to combat a real threat your organization is facing.

Who knows—it might even open some eyes in the organization about the seriousness of cyber threats they are facing on a regular basis.

It’s good practice (chances are, you’ll need it)

Sometimes, cyber threats can seem so vague and theoretical that you can be lulled into thinking they couldn’t possibly ever happen to your organization.

The fact is, though, they’re not.

Just look at the data we collected from our cybersecurity survey. The results showed that six in 10 organizations have used their cyber incident response plan in the previous 12 months.

Another 44 per cent said they had experienced a cyber attack in the previous 12 months.

This is perhaps the biggest reason why you should run a cybersecurity tabletop exercise for your organization: chances are, you will need to use your preparation at some point.

That means you had better get prepared.


As with anything in cybersecurity, practice makes perfect.

Investing in a cybersecurity tabletop exercise for your organization ensures you’re prepared for when a real attack hits.

About the author
Mark Brownlee

Mark Brownlee is a Product Marketing Manager with CIRA Cybersecurity Services. His work, which focuses on the CIRA DNS Firewall and Canadian Shield products, is dedicated to helping protect people and organizations in Canada from cyber threats. His background is in marketing strategy, communications planning and advertising best practices.