TL;DR
Tabletops done well are rehearsals for high-pressure decisions. Done poorly, they become a waste of time, money, and goodwill.
Andrew Morgan (Head of Information Security and Risk at Defence Health Ltd) and Dan Haagman (CEO of Chaleit) reflect on why so many tabletop exercises fail to deliver real preparedness. They argue that when tabletop sessions are treated as annual compliance rituals, organisations miss the point entirely and leave themselves exposed when real incidents strike.
Through real examples and sharp insights, Andrew and Dan call for a shift in mindset: from treating tabletop exercises as tick-box tasks to seeing them as tools to build familiarity, test team cohesion, and practise decision-making under pressure.
Context: Why this matters now
The pressure on organisations to demonstrate cyber security readiness has never been greater.
Security professionals are being held personally accountable. Regulators like ASIC are putting cyber risk on the same level as financial risk. And customers, partners, and shareholders are asking tougher questions about how organisations will respond when, not if, a cyber incident occurs.
Tabletop exercises have become a widely used tool in preparing for such scenarios. They offer a safe way to explore what might happen during a crisis, test how teams respond, and uncover weaknesses before attackers do. Yet despite their growing popularity, many of these exercises are little more than rehearsed scripts delivered with little urgency or engagement.
A survey by Osterman Research found that most organisations conduct tabletop exercises infrequently, with over a third spacing them a year or two apart. These sessions are largely ineffective, as 65% involve merely reviewing PowerPoint slides, a method nearly 20 times more common than practising actual simulations. Furthermore, 64% of organisations run three or fewer scenarios during these limited exercises.
Andrew puts it plainly:
“The value of a tabletop is seeing whether the people and processes you’ve put in place can actually guide you through a crisis. But where it’s not valuable is when it’s just done to tick a box.”
“Compliance exists because, in the absence of it, some things don’t get done. But if we’re only doing resilience work because we have to, not because it’s helping the organisation, then we’re missing the point,” Dan explains.
In other words, being able to say “we’ve done our annual tabletop” isn’t the same as being prepared.
Let’s see why these problems persist and what organisations can do to become truly secure.
Challenges in current tabletop practices
Challenge #1. Missing the mark
Many tabletop exercises are designed to meet the bare minimum requirements set out by internal policies or regulatory guidance. They involve generic crisis scenarios, limited engagement from participants, and result in reports that quickly get shelved.
Andrew describes this kind of exercise bluntly as a waste of time and money.
He recalls examples where organisations sourced crisis plans from Google, ran exercises on systems they didn’t use, and relied on consultants with no familiarity with the business.
“You end up doing something for $5,000 that ticks a box. But it doesn't test anything real.”
Challenge #2. Lack of engagement and participation
Senior leaders are often nominally included in tabletop exercises but fail to engage meaningfully. Attendance drops in the lead-up to the session. Meeting times get shortened. Preparation gets ignored. And by the time the session takes place, many participants are simply showing up, mentally and physically unprepared.
Dan has experienced this phenomenon first-hand:
“You start getting the ‘I can’t make it’ emails. Then the session gets cut short. Then, on the day, people show up without having read the prep material. It’s a slow attrition of intent.”
“You can derail a tabletop just by having one or two people suck the energy out of the room,” Andrew adds.
This disengagement sends a message across the organisation: resilience isn’t a priority.
Challenge #3. Misaligned expectations
A common misconception is that tabletops build operational muscle memory in the way that military or aviation training does. But as Andrew explains, the format and frequency of most tabletops simply don't allow for that level of conditioning.
“We’re not building muscle memory. We’re building familiarity. And I’d rather people be familiar than totally unprepared when something hits.”
Dan takes this further, questioning whether organisations are setting themselves up for disappointment: “Are we being fools to ourselves, aiming for mastery when all we really need is proficiency?”
This gap in expectations often leads to disillusionment with the process, and in some cases, abandonment of it altogether.
Challenge #4. Crisis roles misassignment
Another widespread issue is assuming that those with the highest titles are the best equipped to lead during a crisis. But as Andrew points out, being the CEO doesn’t automatically make you the best crisis coordinator.
“You’ve got to be honest about who’s best equipped — not just who has the biggest office.”
He draws a parallel with his background in policing: “At a crime scene, I don’t want the neighbours wandering in. I want the people who know what they’re doing.”
“Maybe you want to be the first trumpet in the orchestra. But in a crisis, we might need you on the kettle drums instead. It’s about what serves the performance, not your ego,” Dan adds.
Without clear criteria for who leads, confusion and delays are almost inevitable.
Solutions: Making tabletop exercises work
Solution #1. Purpose, not paperwork
Tabletop exercises need to serve a defined business purpose. That starts with setting clear objectives: what are we trying to learn, uncover, or improve? Then comes designing scenarios that reflect real business risks and organisational context.
Andrew highlights one example where his team ran tabletop exercises for a professional services client, specifically designed for senior executives.
“They had crisis plans, cyber incident response frameworks, and business continuity documents. But nobody used them during the exercise. We were thirty minutes in before someone even mentioned the plan.”
This became the key finding: people didn’t know how to use the documents they’d invested in.
The solution is to “put heart and energy into the design and make it outcome-driven,” Dan explains. Then, it stops being a waste and starts becoming a rehearsal for something that might actually happen.
Solution #2. Simulations, not meetings
Drawing inspiration from aviation and military training, Dan and Andrew advocate for running tabletops like professional simulations, not another Zoom meeting.
Dan shares an example from aviation, where being in a simulator and preparing for a certification isn’t just reading a checklist. People run scenarios, under pressure, with full engagement.
Andrew builds on that with a musical metaphor:
“It’s not like doing another 45 minutes of piano practice. It’s about saying, I’ve done the practice, I know how to play, now I’m going to perform. This is the final run-through before stepping onto the concert stage.”
Meaningful learning happens when people are fully engaged, not when they’re simply going through the motions. Tabletop exercises should demand focus, simulate pressure, and give teams the opportunity to apply their knowledge dynamically, not mechanically.
Solution #3. Proficiency, not perfection
Organisations should recognise what tabletop exercises can and can’t achieve. Mastery requires frequent, structured, and high-pressure practice. Most businesses don’t have the resources or time for that. But they can build familiarity and develop confidence in roles, responsibilities, and response processes.
“This isn’t about becoming an SAS team. It’s about knowing what to do better than someone who’s never seen a crisis before,” Andrew clarifies.
“Let’s stop pretending we’re building muscle memory. We’re not. But proficiency and clarity? That we can achieve,” Dan adds.
Findings from decision-making science support this perspective. As Nobel laureate Daniel Kahneman describes in Thinking, Fast and Slow, decision-making under stress is heavily influenced by cognitive load, essentially, the extent to which mental resources are consumed by unfamiliarity, pressure, and ambiguity.
Kahneman’s research and subsequent studies show that reducing cognitive load by clarifying roles, simplifying processes, and building familiarity improves decision quality and response time.
Tabletop exercises ensure that leaders and teams aren’t making decisions for the first time during a real incident. They smooth out ambiguity, reinforce key actions, and prepare participants to make better-informed, less error-prone choices when the pressure is on.
Solution #4. Capability, not titles
Organisations must evaluate who’s actually best suited to lead in a crisis, not just who’s highest on the organisational chart.
“One of the best people I ever hired into vulnerability management was a pilot. He’d been made redundant, retrained in cyber security, and brought discipline, structure, and thinking under pressure. That’s what you need in a crisis,” Andrew shares.
Dan notes that mature organisations begin to understand this over time. “It becomes an asynchronous process. The initial response doesn’t have to come from the top. It comes from the people embedded in the business, who know the system and can act fast.”
Tabletops should be used to test different team structures, decision paths, and escalation processes, building clarity before the crisis hits.
Organisations that establish cross-functional crisis teams experience measurable improvements in response time and business continuity. These results are supported by both the author’s practical experience and international standards like ISO 22361, which advocate for the integration of diverse expertise and clear team structures for effective crisis management.
Six key takeaways
Tabletop exercises can be powerful tools for strengthening an organisation’s response capability. Here are six takeaways from Andrew and Dan that offer a practical way forward:
Intent creates effectiveness. A tabletop without purpose is a wasted opportunity. Know what you want to learn or test and design accordingly.
Engagement isn’t optional. Executive disengagement weakens the signal across the organisation. If it matters, it must be prioritised.
Aim for familiarity, not fantasy. Tabletops can’t turn your team into elite responders overnight, but they can build confidence and clarity.
Simulate stress to build readiness. Real crises come with confusion, conflict, and time pressure. Tabletop exercises should reflect that.
Equip the right players. Assign crisis roles based on capability, not hierarchy. Practice with the team you’ll rely on when it matters most.
Resilience is a team sport. As Dan puts it, “The tabletop is the ensemble. It’s the orchestra.” Getting the performance right means practising together with purpose.
Treating tabletop exercises as rehearsals rather than requirements creates space for real learning and better decisions.
If your organisation is ready to move beyond checkbox exercises and build real capability, get in touch with Chaleit. We help teams design and run high-impact tabletop exercises that surface blind spots and leave leaders better prepared.
About the authors
Andrew Morgan
Andrew has had an unusual path into Security leadership.
Starting his career in law enforcement and specialising in transnational organised crime, Andrew transitioned out of policing and has worked in a variety of industries including ASIC as a corporate regulator, two of Australia’s largest banks before spending over a decade in different consulting roles where he started in financial crime consultancy and his career path changed from financial crime into computer forensics and incident response.
He made the full transition into Security roles while heading up the cyber security operations centre at nbn before moving into CISO roles at La Trobe University and later at Defence Health.
His philosophical approach to all things security is built around culture as well as a deep understanding of risk as it applies to the things that matter in the organisation that he is trying to protect.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit, a seasoned leader in global cyber security consulting, and an Honorary Professor of Practice at Murdoch University in Perth, Australia.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Andrew Morgan. Dan Haagman's views also reflect the official stance of Chaleit, while Andrew Morgan's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
