Crisis readiness: the strategic role of tabletop exercises
In the face of a cyberattack, the difference between a minor disruption and a catastrophe lies not only in the technology deployed, but in the ability of people to respond and make decisions under pressure. And in an environment where threats are increasingly sophisticated, fast-moving and difficult to anticipate, organisations can no longer afford to improvise when a crisis occurs.
In this context, Tabletop Exercises (TTX), or crisis simulations, have become a key tool for training both executive and technical teams, aligning decision-making criteria and turning uncertainty into structured responses. Far from being a purely theoretical exercise, these simulations bring the potential chaos of a cyberattack into a controlled environment, where every decision matters and every mistake becomes a learning opportunity.
The regulatory framework: from recommendation to obligation
By 2026, cybersecurity has ceased to be a voluntary option and has become a strict legal requirement. In this new landscape, simulation exercises such as tabletop sessions are now a cornerstone for compliance with international standards and European directives.
For instance, the NIS2 Directive not only requires organisations to implement security measures, but also to demonstrate their effectiveness and the real capability of management teams to handle crisis situations in essential entities. In parallel, the DORA Regulation mandates simulation exercises in the financial sector to strengthen digital operational resilience, while ISO/IEC 27001 highlights the importance of testing business continuity plans to ensure they remain effective against evolving threats.
Within this regulatory framework, a tabletop exercise represents the most compelling evidence to auditors and regulators that leadership is actively fulfilling its duty of care.
Benefits and mechanics of simulations
Beyond regulatory compliance, tabletop exercises deliver tangible business value. They help break down silos between teams, force critical decisions (such as shutting down essential services), and safeguard corporate reputation by training communication under high-pressure conditions. Without this type of preparation, human responses to crises tend to be chaotic. However, when teams are exposed to realistic scenarios in a controlled setting, that chaos evolves into structured, aligned and strategic responses.
Tabletop exercises enable teams to train responses to critical scenarios
A typical tabletop exercise begins with a clearly defined initial incident—for example, the inability to access certain files accompanied by a ransom note.
From there, the scenario evolves progressively: new variables emerge, such as media pressure, signs that backups have been compromised, or urgent requests from regulators.
At that point, participants—according to their respective responsibilities—must discuss and decide how to act, testing both existing procedures and their ability to coordinate. The exercise concludes with a detailed analysis that makes it possible to identify weaknesses, inconsistencies, or gaps in current plans, and to translate these into a concrete improvement plan.
Preparations and common questions
Before conducting a first simulation, it is essential to carry out preliminary preparations, as many organisations discover that key aspects are not yet fully defined. Issues such as identifying critical assets, ensuring the existence of an escalation protocol that reaches the executive committee, or clarifying which external providers must be engaged in the event of an incident are fundamental.
Other equally critical—yet often underestimated—elements include the availability of alternative communication channels if corporate email fails, and the designation of an official spokesperson capable of managing public exposure.
These considerations are closely linked to some of the most common questions:
- How long does a tabletop exercise last? Typically, between 2 and 4 hours, focusing on key decision points.
- What happens if mistakes occur during the exercise? That is precisely the objective: to identify weaknesses in a controlled environment, where learning has no direct operational impact.
- How often should they be conducted? Once a year, or whenever there are significant changes in the organisation’s structure or regulatory environment.
Izertis’ differentiating value
At Izertis, we go beyond designing scenarios—we create high-impact learning experiences for executive committees. Our approach stands on three fundamental pillars: the development of hyper-realistic scenarios tailored to each sector and organisation; a multidisciplinary team combining technical, business and legal expertise; and a strong results-oriented focus, translated into concrete action plans that enhance incident response capabilities.
Because a plan that is never tested remains merely a statement of intent, Izertis supports organisations in ensuring that, when the time comes, their teams act with judgement, coordination and confidence.