• March 2, 2023

Turn the Tables and Build a Better TTX

Turn the Tables and Build a Better TTX

Turn the Tables and Build a Better TTX 1024 536 Vantage Technology Consulting Group

The TTX you manage to do is 100% better than the ones you don’t.

An incident response (IR) plan without people is just pixels and paper. Regularly testing and updating your institution’s information security IR-related policies, procedures, and plans helps your team to identify gaps and be more prepared for an incident. Hosting an information security tabletop exercise workshop (TTX) is one of the best ways to have your team think through the current IR plan, document activities that you expect to occur during an incident, and incorporate lessons learned. Coordinating a TTX does require focused effort and attention, but it can also be a low-cost activity that provides additional benefits to your team and the institution. After-action reports and other documentation created following a TTX are helpful in addressing compliance requirements and can be used for audit purposes to demonstrate that an institution is prepared for an incident.

Maximize the Outcomes and Do More with Less

Many institutions are facing stagnant or reduced budgets, reductions in force, and increased staff workloads. As EDUCAUSE researchers observed in 2022, a prominent theme for many IT units is “to become more agile and efficient and to respond to the evolving needs of their organization.” While institutions experience resource constraints in different ways, being prepared for an incident remains a priority. The good news: your investment of time and energy in a TTX will have a beneficial impact in myriad ways.


A TTX is an opportunity to work together as a team to analyze a scenario and determine the best response. You will hear a diversity of viewpoints and how each team member might approach a particular issue or solution. You will also have a better understanding of each person’s role within the team and get the chance to educate others about your role and responsibilities. Ideally a TTX will include members from different teams across the IT department (and campus), which allows for building or reinforcing cross-team relationships.

Staff Development

A TTX is also a useful interactive training tool for staff development. You are dedicating focused staff time to problem-solve as a team. Treating a TTX as an abbreviated staff retreat also gives everyone time to step away from day-to-day security operations and strategically analyze the scenario while allowing the team to familiarize themselves with other people’s roles and responsibilities. If you’ve been hosting these kinds of workshops on a regular basis, you might switch things up to challenge your team. Try asking staff to play different roles. For example, the CIO and Director of Enterprise Architecture or the security engineer and the CISO could swap places. The team will still work from the same IR plan, but will experience the scenario from a new perspective, leading to new insights for the team overall. This is also an opportune time for IT leaders to observe staff and develop succession planning strategies.

Leadership Engagement

IT teams can demonstrate how prepared the institution will be following an incident by involving campus leadership. Ideally, a TTX will include the President or Chancellor, Provost, CFO, deans, department heads, and other campus leaders for a significant portion of the workshop. This allows you to illustrate to campus leaders that you have a comprehensive plan in place that can be effectively executed. A workshop involving campus leadership gives the team a chance to display their knowledge, skills, and collaborative approach to solving complex problems, and underscores the team’s dedication to protecting the campus in support of the institution’s educational mission and strategic priorities. An added bonus: TTX activities with leadership involvement can provide insight into leadership’s decision-making process when it comes to security risks.

Awareness and Training

Practicing for an information security incident is equally as important as practicing a fire drill. In order to be prepared for a potential fire, you need to know the layout of the building, reasonable exit strategies, and the most direct route to escape safely. A TTX is an excellent educational tool for organizational awareness if you can expand your roster of participants to other campus departments. The more people at an institution who understand the cybersecurity risks, as well as established policies, plans, and procedures, the more prepared and resilient the organization. Everyone (not just the IT or information security team) should leave the workshop with a better appreciation of your team’s roles and competencies. These simulations also allow you to strengthen relationships between departments and reinforce communication channels.

Choose a TTX Format That Fits Your Needs

There is no single way to run a TTX. You should choose the type of TTX that works for your time, budget, and colleagues’ attention spans. If you don’t have the time or ability to coordinate and plan a TTX, consider bringing in a specialized consultant to assist. You can still lead the conversation but will have help setting up and running the TTX. Consultants can also fully lead the TTX and will provide valuable feedback to improve the IR plan and your team’s approach when faced with an incident.

Remember to design your TTX with DEI principles in mind. Facilitators should be mindful of any equity and inclusion obstacles for participants. Modify your TTX to ensure that the correct team members can participate and that remote participants are engaged, especially if it’s a hybrid workshop session with participants attending both physically and virtually.

– A half-day workshop consists of the IT team and select individuals from other departments directly involved in campus incident and/or emergency response, depending on the TTX focus. If campus leadership is available for the final one to two hours, encourage their engagement as it increases the usefulness of the exercise for the entire institution. A facilitator leads the group through four to five scenarios in escalating severity and encourages participants to discuss their initial thoughts and response activities. Participants also identify gaps in knowledge and specify necessary improvements to documentation and communications across teams.

– A full-day or multi-day TTX is considered a fully immersive TTX workshop. These are recommended for institutions with fairly mature and comprehensive IR plans and procedures in place. These extended workshops include a series of escalating scenarios, but go more deeply into the step-by-step outlined response activities in the institution’s response plan. This kind of TTX is difficult to plan and schedule, but produces high-value outcomes for the participants and the institution.

– A mini TTX consists of a single scenario instead of escalating scenarios. These can be conducted in 60 minutes with smaller teams, making it easier to schedule and also enabling you to conduct it more regularly with less disruption to daily operations. Like the traditional half-day TTX, participants are encouraged to discuss their initial thoughts and response activities, as well as who they might reach out to for assistance. If your IR plan is already mature, mini TTXs provide refresher training on the existing documentation and processes and can reinforce cross team-relationships with group problem solving.

– A micro TTX would be “single-player” on-demand online content. It presents a suspicious cyber-scenario and asks the user to think critically about what the user does and does not know from the information provided. It also asks the user what next steps they would take and what websites or digital resources they are familiar with that could help them. These are excellent community awareness and training activities. While very different from a traditional TTX, the micro version achieves the same overarching function of practicing a user’s response and refamiliarizing the participant with the digital resources the institution has available.

– A less formal TTX activity might appeal more to your group. Black Hills Information Security has developed an incident response card game called Backdoors & Breaches. The cards are designed to be useful as informal prompts for IR discussions. However, the game also includes competitive rules and Black Hills offers the ability to play the game competitively online. This game was developed for IR team training, as well as for use as an educational tool for students.

Bottom line: The TTX you manage to do is 100% better than the ones you don’t. Practicing your team’s response capability and preparedness and acting on lessons learned are the primary goals of the TTX. However, planning your TTX thoughtfully and with your audience in mind will achieve benefits above and beyond updating the IR plan. Tailoring the TTX experience to your institution and team not only results in a greater understanding of how to address an incident, it also enhances relationships among the team and with leadership and stakeholders.

This post was co-authored by Senior Strategic Consultant Jacqueline Pitter, who advises clients on network modernization, information security program development, and technology architecture, Senior Strategic Consultant Valerie Vogel, who advises clients on information security and privacy awareness and education programs, IT and data governance design and implementation, and strategic planning, and Strategic Analyst Sarah Norwood, who collaborates with clients to address strategic planning, organizational assessments, IT governance, and information security program development.