How to Run a C-Suite Tabletop Exercise

A bad tabletop is worse than no tabletop — it creates false confidence. After facilitating more than 150 executive tabletop exercises, the patterns of what makes them useful, and what makes them theater, are very clear.

Cyber tabletops should not be about testing whether your team knows the incident response plan. They should be about testing whether your organization can make decisions under pressure with incomplete information. That framing changes how you design them. This guide is the condensed version of everything I wish I had known before facilitating my first session.

Step 1: Choose a Scenario That Stresses Decisions

The first mistake is choosing a scenario that is technically interesting but strategically trivial. "Someone clicks a phishing link and gets malware" is boring at the executive level. The right scenarios create genuine dilemmas:

• Ransomware with backup failure → do you pay, and who signs off?
• Data exfiltration of customer PII → when do you notify, and what do you say?
• A zero-day in a system you cannot patch → do you take it offline and eat the revenue hit?
• A credible extortion threat with no proof of access → do you engage?
• A breach at a critical vendor → who owns the response?

The test of a good scenario: can you imagine reasonable executives at the same table disagreeing about the right answer? If yes, it is worth running.

Step 2: Write Injects That Force Movement

An inject is a timed piece of new information delivered to the group during the exercise. Good injects:

• Arrive on a schedule the facilitator controls, not on demand
• Introduce new facts that invalidate earlier assumptions
• Force a decision with visible trade-offs
• Include at least one inject per major stakeholder role
• Include at least one inject the group has no playbook for

Step 3: Cast the Room Correctly

The participants matter as much as the scenario. A good C-Suite tabletop includes:

• CEO (as the decision authority on irreversible actions)
• CFO (money and insurance)
• General Counsel (privilege, notifications, litigation)
• CISO (technical lead)
• CIO (operational impact)
• Head of Comms (internal, customer, media)
• CHRO (if employees are affected)
• An observer from the board, if possible

Two rules: no substitutes, and no laptops. Substitutes do not reflect the real decision authority. Laptops create side-work that destroys the pace of the exercise.

Step 4: Facilitate for Pressure, Not Completion

The facilitator's job is not to "cover" the scenario. It is to surface the decision points and to keep the pressure on. Techniques that work:

1. Hard time boxes. "You have five minutes to decide whether to pay." Ignore requests for more time.
2. Incomplete information. Do not answer every question. Say "the investigation has not confirmed that yet" often.
3. Media inject. A fake tweet, a journalist email, a reporter calling. Nothing accelerates decision-making like a deadline someone else is setting for you.
4. Regulator inject. An email from a Data Protection Authority asking for a status update. Or a letter from the SEC.
5. Competing priorities. Introduce a business-critical decision unrelated to the incident. Who attends to what?

Step 5: Capture Findings Immediately

The worst tabletop outcome is the one where everyone learns a lot, nothing gets written down, and six months later the same gaps are still open. The facilitator must:

• Have a scribe capturing every decision in real time (the same discipline as an actual incident)
• Run a hot wash immediately after — what went well, what went poorly, what surprised you
• Deliver a written after-action report within 10 business days — see our AAR template
• Convert every finding into a gap with a severity, an owner, and a due date

Step 6: Close the Loop

Findings without accountability become a wish list. Every tabletop finding should land in a gap register that is reviewed at the next CISO staff meeting, the next board meeting, and the next tabletop. If the same gap appears in two consecutive exercises, it stops being a gap and starts being a pattern — and patterns are what plaintiffs and regulators find interesting.

What to Avoid

• The training session disguised as an exercise. If you are explaining the plan during the exercise, you are training. Do that separately.
• The punitive tabletop. Exercises are for learning, not for catching people. If participants think their performance will be used against them, they will not engage.
• The theatrical tabletop. Elaborate props and production value do not improve the exercise. Good injects do.
• The "we passed" narrative. There is no passing. There is only what you learned.

How Often?

At minimum, annually for the full executive team. Quarterly for the core IR team. Semi-annually for specialized scenarios (ransomware, OT, third-party breach). More if you are in a regulated industry or have had a real incident within the last year. SEC registrants should be exercising their Item 1.05 materiality workflow specifically — see SEC 96-Hour Notification.