Card Image

Three tips for Successful Tabletops

May 26 2025, 10:50 - 11:20 (AWST)

In a dynamic cyber security landscape, developing and delivering a series of tabletops provide the perfect opportunity for operations, communications, and other stakeholders to rehearse their responses, identify gaps, and highlight the importance of cyber security to executives to drive further funding and support. As part of The University of Queensland’s (UQ) Cyber Security team, I have been running two kinds of tabletops at UQ since 2022:

- Technical tabletops: with an audience of our internal security operations team and key IT stakeholders, these tabletops identify areas for improvement, provide opportunities to play-through scenarios and build internal team confidence in incident response processes, and strengthen relationships and cyber security awareness with wider IT teams; and 
- Executive tabletops: with an audience of senior executives, these tabletops uplift awareness of pertinent issues and highlight the need for funding. This has also encompassed collaborations with the Australian Cyber Security Centre (ACSC).

To help THETA attendees and their organisations navigate the ‘winds of change’ through maturing ethics and governance, I will share my ‘cheat sheet’ for a successful tabletops program. This will include: 
- Describing the two kinds of tabletops delivered – their target audiences, aims, and benefits, 
- Describing the development process – who is involved, and what is done, the processes we follow to develop the scenarios, 
- Outlining how they are delivered – how I facilitate and execute the tabletops, and the artifacts developed (documents provided to participants prior to the exercise, content for the exercise, and post-exercise reporting), 
- Describing my three key lessons learned during the delivery of the exercises, and 
- Summarising benefits – the tangible outcomes that have resulted from these exercises.