CISO handbook: Getting an executive buy-in to conduct cyber crisis simulations.

Tabletop exercises (also known as Cyber Crisis Simulations, or TTX for short) are probably one of the most dreaded cybersecurity activities among executive teams. Yet most CISOs and security professionals responsible for them need executive and board approval in order to conduct these exercises regularly, remain compliant with regulatory frameworks, and keep the cyber incident response program effective. The benefits of conducting such exercises are significant: the team can practice incident response playbooks, become familiar with the required steps ahead of time so that they do not lose precious minutes in a real crisis, and identify gaps in preparedness that can then be addressed to lower the risk and impact of a potential breach.

Many executives and board members, however, shy away from these exercises, offering endless reasons why they do not need to participate or choosing to prioritize other matters. As a result, the idea of a cyber crisis simulation often remains stuck on the back burner.

In this article, we will explore the most common reasons and excuses executives provide and help CISOs address each of them directly, while building a strong business case for conducting these simulations.

Who needs to conduct tabletop exercises?

Tabletop exercises are an essential part of a comprehensive cybersecurity program for any organization. Whether you operate in a regulated industry such as finance or healthcare, handle sensitive or proprietary information, run an established enterprise, procure or renew cyber insurance, or manage a small business without specific regulatory requirements, these exercises are a critical part of keeping your organization secure.

Below are examples of specific requirements that mandate organizations to conduct cyber breach simulations:

• NIST SP 800-53 Rev. 5, requirements IR-3 and CP-4

• NIST SP 800-171 requirement 3.6.3

• NERC CIP-008-6 requirement R2 / Table R2

• PCI DSS v4.0.1 requirement 12.10.2

• NYDFS 23 NYCRR Part 500 section 500.16 (d)

• FFIEC Business Continuity Management Booklet

• ISO 22301:2019 Clause 8.5

• ISO/IEC 27001:2022 Annex A 5.30

• DORA Article 11(6)

• MAS Technology Risk Management Guidelines requirement 13.3

• SOC 2 control CC7.5

If your organization needs to comply with any of the above frameworks, conducting regular tabletop exercises is not optional but a formal requirement.

Objections and excuses from your board and executive team

Sometimes, despite regulatory obligations, executives and even board members remain reluctant to approve or participate in these exercises. This is often a point of frustration for security leaders who struggle to demonstrate the necessity and benefits. For anyone in that situation, here are the most common objections and practical ways to address them.

“We’re way too busy.”

Executives often use this excuse to avoid activities they view as long, tedious, and time-consuming. Their calendars are already overbooked, and they believe a TTX will consume an entire day that no one is eager to spend.

How to overcome: Position the exercise as short, focused, and business-critical, not an all-day technical drill. Tie the TTX to something the exec team already cares about — upcoming audit, new regulation, board review, merger, major customer deal.

What to say: “We’ve redesigned this so your total time investment is just 90 minutes. We’ll focus only on the critical decision points you’d have to make in a real incident — no technical deep-dives.”

or

“The auditor will ask how we test our incident response plan. This session gives us proof. Without it, we’ll have a gap to explain.”

How ORNA can help: ORNA's cyber crisis simulations allow you to customize the exercises by selecting the exact team members that will be participating. This allows you to be flexible with your timing and practice with the execs at a time convenient for them.

“Cyber is an IT problem, not a business problem.”

This is one of the most common misconceptions. Many executives believe that in the event of a cyber breach, almost all of the work will be handled by IT. They expect to receive a report once it is over, assuming little to no direct involvement is needed from them.

How to overcome: Show that most executive responsibilities in a breach are non-technical, such as legal holds, regulator notifications, investor statements, and media briefings. Remind them that regulators, insurers, and shareholders hold boards accountable for cyber resilience.

What to say: “In the first 24 hours of a breach, the biggest tasks aren’t about servers, they’re about law, communications, and business continuity. Those can’t be delegated to IT.”

or

“Your participation isn’t optional in the eyes of regulators and insurers. Tabletop exercises give us defensible evidence that the board is engaged in managing cyber risk.”

How ORNA can help: ORNA's playbooks already incorporate non-technical, executive and business-related tasks targeted at CEOs, CFOs, legal counsels, communication leaders and even HR leaders in certain cases. When a new exercise is created, each team member will immediately receive a list of tasks relevant to their roles, making it evident that their participation is critical and providing a structured way to practice their part.

“I’m already overloaded with compliance – this would just be another checkbox.”

Chances are, your executive is already fighting their own compliance battles that you may not even be aware of. Depending on their role, they might be juggling the IFRS / GAAP Compliance, ESG / Sustainability Reporting, Import/Export Controls, OSHA / Workplace Safety Compliance or many others. So, adding yet another lengthy meeting to their plate, citing compliance as the driving force, might not be a good strategy.

How to overcome: The key is to acknowledge the burden and then reposition the tabletop as a way to lighten their compliance load, not add to it. Link the exercise to their existing compliance obligations (even if non-technical). Provide pre-work, concise briefings, and prep so execs just need to show up and make decisions.

Example:

• CFO → SOX, SEC disclosure rules (evidence of incident preparedness)

• COO → ISO 9001, operational risk management

• General Counsel → GDPR, CCPA breach response obligations

What to say: “This one session can give you documented evidence you can reuse for SOC 2, BCP/DR testing, and our regulator’s incident-response requirement without having to run separate drills for each.”

or

“You won’t need to prepare anything: my team will build the scenario, handle logistics, and give you a short executive brief in advance.”

How ORNA can help: ORNA takes care of the prep work for you. Once you create a simulation and define its parameters, our in-platform AI Assistant (Theia) will create scenario injects for you, relevant to your specific organization size, industry, the type of data you handle, your specific infrastructure components, the difficulty you selected and the scenario you are practicing.

“There’s no budget / ROI isn’t clear.”

Executives have a fiduciary duty to balance the budget and ensure resources are allocated where they bring the most value. Without a clear ROI, TTX can appear to be an unnecessary expense.

How to overcome: Put a dollar figure on the potential impact of poor crisis response, and show how a TTX is a fraction of that. Remind execs that the biggest incident costs are legal, regulatory, and reputational — areas they own.

Example:

• A regional healthcare company's CISO showed that every hour of EHR downtime costs ~$45,000 in lost billings. He framed the $15K vendor-led TTX as “insurance against a $1M mistake.” Executives approved it on the spot.

• A retail CISO shared that a peer spent $4M in legal fees after a breach because leaders hadn’t rehearsed their breach notification timeline. A $20K tabletop suddenly looked cheap.

What to say: “A single hour of uncoordinated downtime costs us $X. This exercise costs less than one hour of disruption and prepares us to avoid weeks of it.”

or

“The largest bills after a breach don’t come from IT; they come from lawyers, regulators, and PR firms. A small investment now keeps us from paying millions later.”

How ORNA can help: ORNA allows organizations to create and practice an unlimited number of exercises per year, effectively reducing the cost per exercise drastically. At the end of each exercise, a report is generated with multiple performance metrics, including an estimated financial breach impact, which makes it easier for executives to understand and calculate ROI and potential breach impact.

“Scenarios are unrealistic – feels like doomsday fiction.”

Executives often dismiss tabletop exercises as “unrealistic” or “doomsday fiction” because the scenarios presented to them in the past felt disconnected from the actual business environment they manage every day. When an exercise is framed around an improbable nation-state attack or a catastrophic “end of the world” data wipeout, leaders perceive it as exaggerated storytelling that doesn’t help them make better real-world decisions.

How to overcome: Use actual events from the same industry, ideally from peer companies. Focus on business disruption, not cyber-Armageddon. Put execs in decision-making moments they’d actually face.

What to say: “This isn’t a made-up crisis, it’s modelled on what happened to [competitor/peer] just last quarter.”

or

“We’re not talking end of the world, just what happens if you can’t access critical systems for part of the workday.”

or

“We’ll only ask you to make the calls you’d realistically be on the hook for, not IT commands, but business decisions (e.g., whether to shut down POS terminals).”

How ORNA can help: Each exercise within the ORNA platform has a difficulty configuration, so the user can control how difficult the scenarios will be, ranging from Novice (first-timers, high-level decisions) to Veteran (experienced teams, APT-level scenarios) difficulty. Each scenario is dynamically generated to fit the organization's specific environment, considering its industry, size, playbook type, and many other factors, making each exercise relevant.

“Can’t you just send me the report?”

Executives sometimes use this objection because they are conditioned to consume information in a report or dashboard form. They see themselves as reviewers and decision ratifiers, not participants in operational drills. To them, a written summary feels like it should be enough to demonstrate compliance and oversight. In many cases, they may also fear being put on the spot in a live scenario, where their knowledge gaps could be exposed in front of peers.

How to overcome: Show that crisis management is about real-time choices, not static documents. Use relatable analogies. Demonstrate that exercises uncover practical problems that reports miss.

What to say: “The report will tell you what we think might happen. The exercise shows how you and the team actually react in the moment; that’s what regulators and customers care about.”

or

“Reading the fire evacuation plan is not the same as running a fire drill. The report tells you the route, but the drill shows you if everyone can actually get out.”

How ORNA can help: ORNA exercises are based on playbooks, either your own or those provided by our platform. Each playbook already contains specific tasks for the most relevant executive positions, including CEO/COO roles, HR leadership, communications leadership, legal and more. This makes it easier for the executives to focus on their specific decision-making points and eliminates the guesswork.

Bonus

Below are some real-world examples from the past tabletop exercises conducted by or with our team, where executives weren't present, and the teams could not make relevant decisions as a result. These examples further demonstrate the importance of executive participation in cyber crisis simulations.

• Multiple critical systems were affected by a cyber breach, and the technical team required guidance to know which systems must be prioritized in the recovery efforts. In hospital ransomware cases, execs had to choose whether ER systems, billing, or lab systems got restored first because all couldn’t come up at once.

• The team had limited capacity to work on the restoration of systems, and a decision needed to be made whether to hire additional help (e.g., contractors), or continue working on the recovery using only internal resources. If the help needed to be hired, a decision needed to be made about the vendor/source of this help.

• A decision whether or not the ransom should be paid by the organization could not be made without the participation of the leadership team. Special considerations need to be made when data is exfiltrated (stolen) from the systems, and whether to allow a third-party negotiator to contact threat actors.

• The team could not determine the exact procedures related to handling communication with the Privacy Commissioner's Office, as well as related legal and regulatory implications, without the participation of the leadership team. 

• A decision whether or not law enforcement should be contacted could not be made without the participation of the leadership team. 

• Under GDPR and HIPAA, companies must decide within 72 hours if the breach is notifiable. Several firms have debated internally whether enough evidence exists before pulling the trigger.

• In manufacturing ransomware cases, the CFO/COO needed to approve halting factory lines and absorbing lost revenue to avoid equipment damage.
  

Conclusion

Executive participation in cyber crisis simulations is not about ticking a compliance box or sitting through a technical exercise. It is about preparing leaders to make critical business, legal, financial, and reputational decisions when every minute counts. By addressing common objections head-on and showing how tabletop exercises directly protect the organization, CISOs can secure buy-in and build a stronger, more resilient response capability. If you would like expert help designing and running effective, realistic cyber crisis simulations for your team, reach out to the ORNA team today.

Yours truly,

The ORNA Team