Tabletop training: Bridging the local government cybersecurity skills gap

Just because local government IT departments are underfunded doesn’t mean they can’t prepare for the next cybersecurity breach

It hardly bears repeating at this point that local governments are prime targets for cyber attacks. Underfunded IT departments working with outdated infrastructure and legacy software systems are sitting ducks for hackers who are only getting savvier by the day.

And as GovTech reported back in June, there is a serious cybersecurity skills gap happening in local government IT departments across the country.

This isn’t an indictment of the IT professionals who go into public service; the cybersecurity skills gap is an unpleasant reality for all sectors, both public and private.

But fortunately, says Maria Barsallo Lynch of the Harvard Kennedy School, this is not an insurmountable problem.

You can gain literacy in this space,” she told a panel at the Route Fifty Cybersecurity Road Show recently. It just takes a culture that prioritizes security and creates ongoing opportunities for skills development.

Tabletop Cybersecurity Simulations

As the Washington State Office of Cybersecurity explains, “a quick and easy way to help prepare your team [for cybersecurity incidents] is to hold short 15 minute tabletop exercises every month.”

These exercises not only allow your team to walk through hypothetical incidents in a low-stress environment, but they also allow them to address the following questions before the next security breach:

  • Does your agency have a Cybersecurity Incidence Response Plan?
  • Are there any compliance requirements your team must adhere to? (PCI-DSS, HIPAA, FISMA, IRS or Sarbanes-Oxley)
  • Who should you notify, both internally and externally, in the case of an incident?
  • Do you have a back-up point of contact if the manager who handles cybersecurity is unavailable?
  • What are the resources available to your team to help with the response?
  • Who do you contact if more resources are needed?

Designing an Effective Tabletop Training Session

While IT departments can access sample training scenarios from other organizations -- many of which we’ve included below -- the best way to prepare, according to security firm Red Canary, is to design these exercises yourself. That way you can tailor them to the specific needs of your agency.

But there are, of course, commonalities that the facilitator (or Gamemaster) should keep in mind.

The best scenarios present enough information and clues that the team is able to drive the story forward,” writes Kyle Rainey on the Red Canary blog. “And don’t feel you must limit your exercise to one topic; some of the most interesting exercises might chain together a number of these topics.”

These exercises should also allow the team to work though the appropriate incident handling stages or attack lifecycle.

Access sample tabletop exercises via the state of Washington’s Office of Cybersecurity.

Review and download six exercises from the Center for Internet Security:

Six Tabletop Exercises FINAL by Ed Praetorian on Scribd

Sarah is based in North Carolina, where she lives with her son and several rambunctious reptiles. Before taking on her current role with Lexipol, she was the staff writer for the tech website DZone and served as an assistant editor with the rural lifestyle publication GRIT Magazine. Get in touch with her at ssinning@lexipol.com.