This week was my first visit to New York City. It was my first visit to New York. I stayed near Times Square and I was able to walk everywhere! Why was I in NYC? A tabletop testing exercise engagement.

I flew in on Tuesday afternoon. GRR-ATL-JFK. If I get the opportunity to go again I’d definitely look at a direct flight into LaGuardia Airport. A total travel time of 7 hours each way makes for a very long day.

I finally got to my hotel around 7:45PM. After unpacking (always unpack your bag) and getting some work done I walked around to find a nearby restaurant. By the way there is so much going on in NYC at all times. The people. The sound. The smells. The number of tiny places to eat/drink… it feels like you could live a lifetime in Manhattan and never eat at the same place twice if you wanted. I ended up at a nice public house - The Joyce - just my kind of place. After that it was early to bed - I had a long day and Wednesday would be equally as long.

Wednesday was the true purpose of my visit to NYC: A tabletop testing exercise (“TTE”) engagement. What exactly is a TTE? It is a group-based discussion with two or more employees of an organization reacting to a written security incident scenario. A scenario could be “A burglar has broken in and is pointing a gun at you” or “A malicious actor has infected your network with ransomware.” The scenarios should be tailored to the organization in a way to test the organization’s incident response plan (“IRP”). A TTE has no right or wrong answer - the value is in the doing of the exercise not in getting it right.

I have a routine that I follow when I faciliate a TTE. I like to write two or more scenarios that will be confronted by the group, preferrably very different scenarios. I’ll begin the session by introducing myself, my company, and what a TTE is. I also like to begin with an encouraging statement: “You will be confronted with several scenarios that will require you to follow your organization’s incident response plan. This will be both an easy and difficult task. There is no wrong answer today. You will not be given a grade today. The goal and objective is to simply participate in good faith. Thank you for being here and let’s try and have some fun.”

For this engagement the organization in question had recently written their IRP and they wanted to take the next step. I had the pleasure of having an active partner in the organization who helped identify workable scenarios and organize the overall day. We had two distinct sessions with 6-8 participants. Each session began with the same scenario and finished with a unique scenario. I was very pleased with the participation of all the employees. It became obvious that some people studied the plan and others didn’t even know there was a plan.

What comes out of a TTE? By that I mean if you hired a consultant to do this what should you expect next? Simple - the facilitator should be taking notes throughout the day. Those notes become an integral part of the final report and recommendations. You should expect that, within days, a short report is issued by the firm you hired. The report should have an executive summary, a list of recommendations, an overview of the day/sessions/scenarios, and then a copy of all the notes that were taken throughout the day (for transparency).

After getting back to my hotel I decided to enjoy the evening. It was a warmer fall day which made walking a breeze. I stopped at The High Line for some sightseeing before dinner. For dinner I walked to COTE at my client’s recommendation. COTE is a destination for Korean BBQ and Wagyu beef. I found that it was packed and there would be no chance to get a table for the evening. The bar was also standing only. So I stood at the bar and ate the best ribeye I’ve ever had. It was a perfectly cooked medium rare and served with rice and pickled vegetables. The bartender(s) hooked me up with a free appetizer and dessert since it was my first time in NYC. It was a phenomenal experience and one that I would recommend highly.

After dinner I just enjoyed the walk back to my hotel. I had an early Thursday commute to JFK before beginning the trip home.

If you work in risk or security at an organization and the idea of a TTE sounds good to you then reach out. I’d be happy to help.

-Richard