This week the Nashville Banner reported on Nashville Electric Service's response to January's ice storms, citing a "non-specific Emergency Response Plan" as a contributing factor in the utility's shortcomings. Lives were disrupted. Service took longer to restore than it should have.
Reading that, I couldn't help but think about incident response in cybersecurity. Not because the situations are identical, but because the failure mode is.
A Plan Is Not a Capability
Most organizations have an incident response plan. It lives in a shared drive somewhere. It has an approval date on the cover page. It lists roles and responsibilities in a way that looked reasonable at the time it was written.
What most organizations haven't done is stress-tested it. They haven't gathered the people named in that plan in the same room and asked: what would we actually do at 2 a.m. on a Saturday when the alerts start coming in?
That's what a tabletop exercise does. It takes the plan off the shelf and subjects it to pressure. And pressure has a way of revealing things that a document review never will.
What Gets Revealed in a Tabletop
In nearly every tabletop exercise I've facilitated, the same categories of gaps emerge:
- Roles that are assigned but not understood. The plan says "the CISO notifies legal." Nobody has tested whether that notification chain actually works, or whether legal knows what to do with the call.
- Decision authority that's unclear under pressure. Who can authorize taking a system offline? Who approves paying a ransom demand? Who speaks to customers?
- Dependencies that weren't mapped. A ransomware scenario stalls when the team realizes their backup validation process requires access to the same environment that's been encrypted.
- Communication gaps. Internal teams don't know who owns external communications. The PR team has never been in the room for a security conversation before.
None of these gaps are unusual. Most of them are fixable. But you can only fix what you've found.
The Part Worth Saying Out Loud
I want to be careful here: I'm speculating about NES. Plenty of organizations run tabletop exercises that don't result in meaningful improvement to the plan. The exercise becomes a compliance checkbox rather than a diagnostic tool. The gaps get noted in a summary document that nobody acts on.
The exercise itself isn't the goal. The goal is a response capability that holds when it's actually needed. That requires honest facilitation, candid debriefs, and follow-through on what the exercise revealed.
If You're Not Sure What You'd Do
If a breach happened tonight, and you're not sure whether your team would know their roles, who to call, or how to contain the damage, that uncertainty is worth taking seriously. Not because a breach is certain, but because the cost of finding out during an actual incident is significantly higher than finding out during a tabletop.
Nearest Solutions facilitates incident response tabletop exercises designed to surface real gaps and leave your team with a clearer, more actionable plan. Learn more about what that looks like.