What Tabletop Exercises Actually Teach Boards
Tabletop exercises reveal whether board and management roles are clear before a cyber event. The value is in surfacing decision, escalation, and communication gaps while consequences are zero.
Tabletop exercises test how governance works under pressure. They show who decides, who communicates, and whether the board knows when to engage or step back.
The real value of a tabletop exercise isn’t in testing the technical plan. It’s in testing the governance.
When a facilitator presents a scenario, say, this morning at 7 a.m. you receive a call that critical systems are offline and data may have been exfiltrated, the first decisions that get made are governance decisions. Who speaks? Who decides when to notify regulators? What do you tell customers before you know the scope? Who coordinates with legal? When does the CEO engage publicly?
In almost every tabletop I’ve participated in or observed, those first decisions surface clarity problems no one knew existed. The response plan assumed everyone would know their role. The exercise reveals they don’t, or that the roles conflict, or that the escalation path reaches a bottleneck at exactly the moment speed matters most.
In one tabletop exercise, the facilitator posed a straightforward decision: you’ve just been breached. Do A or B? A senior leader in the exercise suggested that we pause, reflect, study the situation further, and assess before acting.
In a crisis, that instinct is understandable, but extremely costly. When technology leaders are slowed at the moment action is required, exposure increases rapidly. Delay doesn’t create clarity, it compounds risk. The board’s role is to stay engaged and informed, but also to know when to step back and let management move quickly to address the immediate problem.
A good external facilitator is valuable precisely because they push back. When a board member wants to notify regulators before the scope is known, the facilitator asks: what are you going to tell them? You don’t know yet what happened. That push creates clarity about what good decision-making looks like under pressure. It’s the board and management working through the problem together, which is exactly what needs to happen in a real event.
The goal isn’t to “pass” the exercise. It’s to find the gaps while the consequences are zero.
In my own work, we’ve incorporated exercises that include both the board and management team. None of this is comfortable the first time. But organizations that do this regularly are better positioned when the real event occurs. Not because they rehearsed the right answers. Because they practiced the right process.
Culture matters here too. If an organization lacks risk discipline, weak behavior at the edges can bypass strong controls at the center. Readiness depends on how people act under pressure, not only on what tools are installed.
