Its a Marathon, not a Sprint

A few years ago, I decided to tackle a bucket list item—running a #marathon. To achieve my goal of completing the race—and avoiding injury—I set out to research training plans. The plan was a good start, but it wouldn’t be successful without completing the training, or without the input and assistance of others. So, I found running partners, agreed on a plan, and got to work.

Securing your company and its products from #cyberattacks is no different than training for a marathon. Do you have a training program and partners who can help you keep your IT risk management program strong, nimble, and energized? Have you considered incorporating #tabletop exercises into your plan?

Tabletop exercises (#TTX) are an outstanding component for training and exercising your cybersecurity team. By simulating an attack on your networks, you’ll be able to identify gaps in your incident response plans, capabilities, and execution. A good TTX builds bonds and relationships within your Security Operations Teams and across the broader organization. Just as training for a marathon teaches you perseverance and builds your endurance, the outcomes of a TTX will identify the challenges you must overcome to improve the overall fitness of your #risk reduction programs.

Successfully completing a marathon requires key training elements . . . as does a TTX.

You must have:

— a clear objective for your training: we will cross the finish line in less time, without injury.

executive support: we need training time and good sneakers!

— a good facilitator/facilitation team: expert guidance will improve our running form.

— a realistic scenario with injects: the race course has hills so we will train for hills.

— representation from all stakeholders: we can get better, but only if we are all in!

— an observation team: an outsider can be objective and see things a team cannot

— an environment conducive for constructive and open dialogue focused on developing ideas for program improvement: Teams that have strong personal bonds perform better.

Your objective defines the boundaries of the exercise for the facilitators as they design the scenario. The objective also defines the #stakeholders and may identify a plan and or policies to be tested. Objectives can be narrowly tailored, such as to test incident response (IR) within the Security Operations Center (#SOC) or to test #IR at the corporate level, engaging the SOC, Shop Floor, Product Security, Media Relations, and the #C-Suite.

Executive support provides the time, tools, and talent required to conduct the TTX. Executive support also leads to the creation of an environment that supports the open dialogue necessary to identify areas needing improvement and drive the initiatives to close the IR gaps.

An experienced facilitator and team keeps the environment positive and on track. Your facilitators need to possess outstanding interpersonal and observational skills. Effective TTX leaders will ensure every stakeholder participates and shares their ideas. Good facilitators meter the over-engaged and challenge the under-engaged. They prevent a TTX from going down a rabbit hole or getting stuck on any one issue.

Realistic scenarios are a must. Design TTXs so that participants feel that the event is one that is very likely to occur. Well-designed TTXs often include news clips of current world events or video messages from key people, adding an element of realism for the players. Injects allow the TTX to be more dynamic and replicate real-world obstacles and constraints that challenge those around the table.

You need at least one representative from each functional role impacted by the exercise. Having all stakeholders and personalities engaged further adds to the realism. It also helps build relationships across the company, particularly in broad-based TTXs.

An observation team affords the players the opportunity to continue engaging in the scenario while critical points for improvement are being made. It is important that your facilitators speak the language and jargon of the players. Allow observers, but avoid having them engage in the TTX.

A good work and training environment removes unnecessary distractions from the exercise. The TTX should be a fun, positive event that encourages and enables all participants to fully participate and play a role in the event.

In my pursuit to complete the marathon, there were many times training time was lost due to work and family priorities. It required training in off-hours and a string of small sacrifices. In the end, the marathon was painful—but crossing the line was an incredible reward. Make no mistake—protecting your network and products from cyberattacks is a marathon. Train like it.

For more on Aviation industry TTX exercises, contact the Aviation ISAC at


© 2020. Aviation Information Sharing and Analysis Center. 

Privacy Policy Statement