Tabletop Exercises 2.0: How OpsBook Is Changing the Game

Show Notes

What happens when your carefully crafted incident response playbook becomes worthless? Cody Sullivan from OpsBook reveals the brutal truth about tabletop exercises: most organizations are practicing with medieval armor for a drone war. From 70-participant, 6-hour exercises spanning three continents to the harsh reality of insider threats, this conversation exposes the gaps that could leave your organization bleeding when the real attack comes. 

Key Topics Covered: 

• Why "tribal knowledge" is your organization's biggest security risk 
• The insider threat scenario that makes every tabletop exercise go sideways 
• How AI is revolutionizing incident response preparation through OpsBook's ontology 
• Why your playbooks are useless if hackers have them too 
• The "Derek Jeter approach" to cybersecurity preparedness 
• From real estate to tech: spotting warning signs before the industry shift 

The crew shares fresh insights from a recent school district tabletop that exposed critical single points of failure, while Cody demonstrates how modern organizations are turning decision-making into muscle memory, not just memos. This isn't theory—it's the frontlines of organizational resilience where one overlooked vulnerability could trigger catastrophic failure. 

Like, share, and subscribe for more in-depth security discussions that prepare you for tomorrow's threats, not just today's compliance checkboxes! 

#tabletopexercise #incidentresponse #cybersecurity #infosec #AI #opsbook 

Chapters

• 0:00: Introduction to The Audit Podcast
• 3:40: Cody's Journey from Real Estate to Tech
• 10:07: Tabletop Exercise Experience and Insights
• 18:00: Measuring Success in Tabletop Exercises
• 22:10: Using AI for Exercise Creation
• 27:30: Real-world Crisis vs. Tabletop Simulations
• 32:30: Action Catalogs and Building Resilience
• 36:20: Monkey Wrenches: Testing Crisis Response

Transcript

Speaker 1: 0:04

Welcome to the Audit presented by IT Audit Labs. My name is Joshua Schmidt, your co-host and producer. We're joined by the usual suspects Eric Brown, our managing director, and Nick Mellum. How are you guys doing today?

Speaker 2: 0:15

Doing well, thanks Excellent, ready to jump in.

Speaker 1: 0:18

Awesome. Yeah. Well, our guest today is Cody Sullivan from OpsBook. I spent a little time with Cody on some pre-production to talk about the project he's been working on, but we also wanted to have a discussion around tabletop exercises and Eric's experience working with them, and Nick is our social engineering guru. So we'll have a lot to talk about today, but first I wanted to get a little background on you, cody, and what you've been working on recently.

Speaker 3: 0:41

Yeah, I'm working on a lot. I mean, I think you probably hear this a thousand times from any founder that's founder-led sales and rocking and rolling with a small team. We're just trying to bring on new customers and build a lot of product value behind it. We've recently launched two new products, which is exciting. One's in beta right now and the other is fully developed. But trying to figure out the messaging and all the fun stuff on the sales and marketing side is always a challenge.

Speaker 1: 1:07

Cool. Well, one thing I learned about you and then I'll kick it off to Eric and Nick but you had shared with me that you left a successful real estate career because you saw the writing on the wall that tech was going to take over. What warning signs did you spot and what were others missing at that time?

Speaker 3: 1:25

Yeah, it's actually really funny. This is going to sound like I had a little bit of a crystal ball, but this is humble as much as it is. This is a true story. The first day that I got my real estate license, I got invited to a big global conference where it's one of the rah-rah sessions. Get 20,000, 30,000 agents ready to go. I'm not going to name the brand that I hung my license under, but we went to this big conference and, mind you, I have not sold a house yet. I have knocked on maybe three doors and am just cutting my teeth.

Speaker 3: 2:01

And I'm sitting here listening to the owner of this real estate brokerage talk about protecting data from Zillow and Redfin and some of the online applications that a lot of consumers back in 2017 were using primarily and still do today. And he's going on this rah-rah chant about how we need to protect our data and it's the agent's data that's important and we're the ones that are spending the money to collect these leads and build these businesses around Zillow applications and everything in between. And then he turns around and he says so I protected your data by building our own internal application to be able to collect all this resources and information to be able to sell to your clients and then immediately to answer the question. It dawned on me in that moment. I looked to the guy next to me haven't sold a house yet and I go.

Speaker 3: 2:48

He's doing the exact same thing that he's telling us we shouldn't be doing. We don't own that application. And that's really when it dawned on me. Even after several years, after being a real estate agent and finding a successful career, I always knew that I wanted to get into technology because I knew that's where the gold was, was in the data and being able to really provide products and solutions at scale. And that was really when the light bulb clicked for me. It took me a few years because the money was good and I enjoyed it, but I got out as fast as I could.

Speaker 1: 3:18

Well, I'll pass it over to Eric. On that note, Eric, you just completed. Can we talk about the tabletop? You just completed?

Speaker 4: 3:24

Yeah, we did a tabletop for a school district recently and it had some pretty good findings of the respective teams needed to do to come together in the event of an actual cyber incident, how they would work together and some of the things that maybe weren't really apparent, where you had some single points within the communication chain.

Speaker 4: 3:58

You know, maybe they weren't really realized until it's like, wow, this person is doing all of these things. In the event of a real world scenario where you're going to be on multiple bridges, your phone's going to be banging off the hook, you're going to be getting text messages, people are going to be showing up in your queue, the planning goes out the window when the shots get fired right or some derivative therein. But the tabletop really brings that to light and it does allow organizations to drill and train and then if there's an area where they need to get a little bit more focused or specific, they can, and then they can go work on plans. They can bring in people if they need to, to really iron out some of those areas that may fall down in the event of a real-life scenario and hopefully they never have a real-life scenario, but I'm sure as you've delivered these, you see that aha moment and it's kind of fun to be there with an organization as they're going through that experience.

Speaker 3: 4:59

Yeah, I mean, I couldn't agree more. We've never. Whether it's a practitioner that uses our product to facilitate these as a third party VC so our MSP or whether it's a direct organization that is using our solution to scale or augment you know their current tabletop program. We've never heard anybody, to your point, walk out of one of these engagements and go, wow, that sucked and I didn't find any value out of it, right? But I think you really nailed it and you know.

Speaker 3: 5:25

I think you might have said that Nick had a comment about this, but you know, a plan is only as good as you can implement it. And you know what we really pride ourselves in is because most of these organizations, whether it's a school or a manufacturing firm or even a technology company, most aren't even testing these plans. They have a plan in place but they're not actually testing them. And if they are, it's so rare that our job is to come in and break these plans, like, at the end of the day, we want to break them so they can rebuild them and bring it back stronger.

Speaker 2: 5:58

The culture that we've been seeing with a lot of our clients is they maybe know what a tabletop exercise is but they've never participated and they might have a lot of branches underneath their organization that would funnel in or have you know to do work if something happened. Real life happened and I think the quote that Eric was talking about is something I've said many times is when I was in the military I had a leader tell me the more we sweat in peace, the less we bleed in war. So this is directly. You know I mean different situations, right, but if we plug that into a tabletop exercise, we can show people how important it is that. You know, maybe something's going to be pretty clunky, no matter what right People are. You're going to be in some scramble effect, no matter what if it's real life. But we can take the stress out of it here, slow it down, have that teaching moment so we can better prepare them when they're actually in. You know, lack of better term conflict.

Speaker 1: 6:52

Yeah that's exactly right.

Speaker 3: 6:53

You definitely want to exercise and practice these engagements before you get into them. You sound like a baseball fan. You know it'd be like me playing college baseball and never taking batting practice up until game day.

Speaker 2: 7:03

You know, it's just no way you're making contact.

Speaker 3: 7:06

Yeah, it seems odd in that, in that context, but that's how a lot of organizations are running. You know they have, they've got these plans on paper and you know to your point when, when, when the proverbial stuff hits the fan, you know they're bleeding, oftentimes because they've never actually taken a swing or the best they can do right now is they've got a call tree, right People, they're going to start calling, but nobody has action items.

Speaker 2: 7:31

Who's doing what right? We should be on the same sheet of music before something even happens, You're nailing it.

Speaker 1: 7:34

It sounds like by Eric's description. It kind of gets into that high school project zone where there's one person kind of doing most of the work and everyone else is kind of waiting for a cue. What was the aha moment for you, cody, that made you realize this was an issue that you know you could help identify and maybe help people solve?

Speaker 3: 7:53

At my co-founderized previous firm, we were working with audit and regulatory compliance software, so we were seeing a lot of SOC 2 prep, a lot of CMMC and FedRAMP and as we started to discover more conversations with enterprise and men, enterprise organizations, predominantly CISOs and the B-CISOs that were supporting those efforts, we were having a lot of discussion around how do I actually know that my organization and the people that are in charge of these playbooks and, mind you, these are enterprise organizations that are repetitiously testing these tabletops they do know what they are. They are running these on a reoccurring basis, as much as they can.

Speaker 3: 8:29

But they started to ask the question how do I measure this stuff?

Speaker 3: 8:33

First and foremost, and that was a big aha moment for us.

Speaker 3: 8:37

At first we thought we can build some KPIs and some measurable benchmarking for enterprise CISOs and VCISOs to be able to say, rather than just going through a communication exercise in a tabletop, how do I measure the projected outcomes that this might impact and what are the actions that one might take place?

Speaker 3: 8:58

And to answer your question specifically, our experience in audit and regulatory compliance, we had a little bit of a knack for thinking about how controls aligned to audit evidence, evidence preparation. We looked at the same relationship between the actions that an individual third party, supplier or a system might take within an organization in the same breath is in the event of an incident, as a control aligns to an audit for preparation, we want the actions to align to the coverage for an organization in the event of an incident. And that was our aha moment and you know a few discussions with some some really well-respected CISOs and information security leaders at various organizations in technology and outside. We just said you know, this is a problem that we can bring automation to and really streamline for these guys, that they've never had before and it's just been gangbusters. It's been fun.

Speaker 4: 9:54

Cody, what are you doing with AI in your platform? Are you using it at all? Have you brought it in for role-playing scenarios or kind of? Where are you on that journey?

Speaker 3: 10:06

yeah, um, this is a great opportunity to to maybe give a little sneak peek on our on our newest product that we're calling pulse right now. Um, to answer your question, we've always had generative ai as an element to generate some of the textual script and story lines that that typically come with the creation and facilitation of these exercises. That's been the bread and butter with our legacy products since the beginning. I think that one would find that the common individual that's organizing tabletop exercises, designing and facilitating these, the common pain point that they're having, is that creativity. On the front end, I can go online to an ISACA template, buy a ransomware scenario and then swap out the name of the company and call it a day.

Speaker 3: 10:54

Or I can use generative AI through a solution like Opsbook, which, as far as we're aware of, is the only solution that's doing this throughout the totality, where I can have a subjective scenario that's created in minutes that is entirely relevant to the context of my organization. So we've definitely used generative AI throughout all of it, but we've also built an ontology on top of that to make it super, super, exercise resilience focused. We want to be able to create an ontology on top of that generative AI to say, hey, if you are a manufacturing firm, a supply chain distribution facility, if you're an energy company that needs to supply energy to individuals and consumers, how can we create generative AI driven tabletop exercises but have an ontology that makes it primarily focused for our specific industry needs and our specific metrics that we need to measure, to execute that coverage that we need to execute? So, to answer your question, generative AI is entirely throughout the totality of the product.

Speaker 1: 11:57

I like that vocab word, ontology. I had to look that up really quick. That's a good one.

Speaker 3: 12:03

Well, I didn't know until 30 seconds ago, just disclaimer.

Speaker 1: 12:07

I had to look it up so that one hasn't come up in my research, but I was hoping we could get into some stories. I know, eric, I'll give you a chance to think about it, but I asked this question to Cody. But I'd love to hear you know about some of the actual tabletop exercises you've done and some of the findings maybe that have come out of it. You shared with me that you recently did one with 70 participants and 40 injects. Was it what chaos or clarity emerged from that process, or is there anything that surprised you or might be fun to share?

Speaker 3: 12:38

Yeah, from that particular engagement. I think the exciting thing for us as an organization was seeing how many people were involved in that. We had three different continents that were included in that and so it was geographically dispersed. So that was exciting for us to see, historically, what's always been a face-to-face interaction or a smaller Zoom engagement. With the technology that we put in place in OpsBook we've actually been able to scale that. So that was just kind of the first aha moment of like wow, this is really applicable for larger engagements. We now give intercontinental organizations accessibility to tabletops like they've never had before, because in a Zoom call you can't collect the information, you can't make it subjective, you can't go through a PowerPoint deck and also see the level of engagement that we've been able to create within the conduction portion of our product. So that was a really exciting moment for us in that particular tabletop.

Speaker 3: 13:34

But, to be honest with you, this might not be the answer that you want to hear, but we really solve for a lot of the mundane stuff that enterprise organizations, you know, don't want to necessarily have to manually go through. So in an organization like that that's large, they're running so many exercises that are outside of the realm of just cybersecurity. It falls into IT process. It falls into supply chain distribution. You know pathways. It falls into emergency response plans for a natural disaster or an earthquake. Work with financial institutions that run exercises about. You know, unfortunately, crisis and shooter scenarios, you know. You mentioned, obviously, eric running one with a school. You know these are real world scenarios that we just get really excited about the option to take not crazy scenarios, but the scenarios that need to be run, that are actually going to happen in the real world, and bring those to scale.

Speaker 2: 14:35

Cody during that big 40 inject tabletop. You guys did. How long does that tabletop last?

Speaker 3: 14:43

Yeah, we chuckle because that particular one was about six hours and I don't know a person in this world that would want to be in a tabletop for six hours. But uh, we built some cool functionality to where you can break these things up and so, uh, you know those, those 40 injects to your point. You know, think of those as uh kind of a chronological or a sequential timeline in the event simulated event. So you're not always testing everyone at once in those long events, so you might have four or five injects that go against one particular department, four or five that go to the next. You can kind of put some people on ice and let them go take a break and do some things. But it went quite smoothly, guided by the product you took started answering my next question.

Speaker 2: 15:26

I was going to ask if you guys are breaking that up by maybe by department or group of people, letting some, like you said, take a break. But yeah, that's awesome that you guys can do that with the tool.

Speaker 3: 15:37

Yeah, one of the biggest things that we've found.

Speaker 3: 15:39

And I don't know how many tabletops you guys have done, but in almost all of them we always find that there tends to be a rabbit hole. Right, there's either somebody that just got hired on as a part of their onboarding they haven't gone through their training, they're a little bit infant in their role or somebody super experienced and says I've been here for 20 years, I got all the tribal language down. That's not how we do things here, and in both cases there tends to be this rabbit hole of dialogue. And so, to your point, we created this concept of what we call a branch, which is think of it just like a breakout room in the product, and so we've given points for those discussions to be had, the notes to be logged and then also to be brought back to the guide rails of what the exercise was meant to be. Had the notes to be logged and then also to be brought back to the guide rails of what the exercise was meant to be. So we've thought of a few little fun things like that in the product.

Speaker 2: 16:28

I just picked up on one thing you said. You said tribal knowledge. That is something we, I think, are always going to see, but specifically we were doing not necessarily a tabletop exercise, but we were doing some planning because somebody was going to retire at a client we were working with.

Speaker 2: 16:43

This is like a year or two ago now and he had been there for it was like 30 years and he was a leader of the IT space there or the IT group, and it was all tribal knowledge. There was virtually no documentation and that was a lot of our conversation. Was you know, catastrophic event? Whatever it is, you know? This is we're getting to that point. Now if he's leaving, what are you guys going to do if he's gone tomorrow? So that planning getting ready for a tabletop exercise for a lot of organizations just can be a good exercise before you even get there, because they're you know. When you're telling them, ok, we're doing a tabletop in a week or two, whatever the timeframe is, they're subconsciously at least getting ready right or they're preparing. So that can be helpful.

Speaker 3: 17:26

Yeah, you're nailing it. I mean, at the end of the day, that travel knowledge from that individual that's been there for 30 years. A lot of our customers are using us to replicate that throughout the playbooks that they need to continue after that person retires. So the backend element to OpsBook is not only the creation of facilitation, but a huge value add is what we like to call the after action review reporting template, and one of the parts of that is that this can act as a source of truth or a repository for people that don't know what am I going to do in the event of this scenario of this guy that's been here for 30 years that I've never you know, I've never done this before. They can refer back to those after action reviews, quickly filter through them and see exactly what he would have done in that instance.

Speaker 2: 18:12

So this is after the tabletop's been done. Is there a timeframe that they can go back to this information or are they extracting it out of ops book and it's a takeaway where they can use this as homework or, you know, every year, every six months, whatever it is, they can go back and review, make sure their house is in order yeah, it's all the above.

Speaker 3: 18:30

To be honest with you, nick, some of our customers use it as a source of truth to just refer back to for continuous training. Or even just look at the iterations of playbook changes over time Like, hey, a year ago we found these gaps, we've shored them up. Now we've tested them again. Now let's look at the new playbook. We've had organizations use it for training perspective, where they take an app lecture review and then they recreate a scenario to use it for training and onboarding to be able to effectively test people in those roles. They can also use it instantaneously after the exercise for audit and regulatory compliance purposes. We come from that background, right. So we have that in mind to say, hey, if you're going to be going for a CMMC or a FedRAMP or even an ISO 27001 that requires these things, how can we push a really, really specific example of this evidentiary item or requirement into a GRC product? And so we've got, we've done that as well.

Speaker 2: 19:25

Yeah, I think you're getting at. The same thing I've been thinking about is, you know, for doing a tabletop exercise today, we don't want it to just be a two to six hour event. You know this should be an ongoing right. Once you're done here, it shouldn't just be a check in the box hey, we're done, we did our tabletop. Maybe it's for compliance, or maybe it's their cyber insurance says they need to do a tabletop exercise. There could be many different reasons they're doing it, but you know we really want it to be okay. You learned this today. Now let's apply it and keep reviewing to make sure we get that into our tribal knowledge or our standards.

Speaker 3: 19:57

Yeah, we, we like to. We like to coin a phrase on that. You know we help teams turn decision-making into muscle, not a memo, and that's what we like to say about the reoccurring idea of tabletops being something that's accessible and reoccurring.

Speaker 1: 20:13

That's awesome. So not to over-egg the pudding here, but if someone's you know looking to maybe work for IT Autolabs or thinking about, you know, opsbook or implementing some software like this, I like to kind of give them a high level overview and maybe some info. Information from Eric as a CISO. You know your experience running these things and you know I'm always looking for the juicy stories right or for outlying kind of events. But maybe you could shed some light on those types of things or how you prepare or get people to do their homework once the tabletop is concluded.

Speaker 4: 20:47

Yeah, sure. So I think it's a couple of things on the tabletop side and all of the real world scenarios that I've been involved with and have triaged, either as an incident person responsible for the incident, the actual incident response or, you know, as the CISO. They've never actually married to a tabletop experience, in that the real world scenario is going to be pretty mundane At least the ones that I've been involved in typically comes in over fishing or you get an alert that something doesn't look right and there's activity that is not consistent with usual behavior, and then you go and you find out that yes, you know we've had a breach, we've had an incident in the environment and now we have to recover from that incident. And you know you go into containment and you're going through all of the steps that you would in a tabletop around a ratification and the aftermath there of recovery and where it differs in the real world is the amount of distractions and meetings and just follow up an aftermath that you're pulled into in the course of resolving whatever the issue is. Because there's, if you're working in an organization that's got regulated data, you're trying to figure out well how much data is potentially exposed and all of the different third parties that you're working with to resolve the incident and you can, in a safe space not in the heat of the moment talk about well, okay, yeah, we can absolutely do a recovery. What happens if we recover and the infection is still in place and the threat actors are able to turn that up? That's easy to do and welcomed in a tabletop exercise where you can then go down different derivatives of okay, yep, we're going to restore it. And then, if it's still there, what do we do? Or no, we're not going to restore, we're going to rebuild. You know whatever those scenarios are.

Speaker 4: 23:10

But in the aftermath, when you have a, say, a billion dollar organization that has live customers that either can't get ahold of somebody or they're banging away on the phones, you have news reporters, you have all of this commotion happening and you have the leadership of the organization saying you need to recover, that we have to be up. There's swearing, there's fists pounding on the table. We got to get that back up. We got to get it back up right now.

Speaker 4: 23:42

And if you go through that exercise and you drill that over and over again and you have that conversation with those leaders, like, yeah, you're going to be hot under the collar. The board's going to be calling you. You're going to have to make that decision. You're going to have to push back when I tell you, no, we cannot restore. You're going to have to trust me, and here's why. But in the heat of the moment, if I'm telling you, you have to trust me, and here's why you may not hear that unless you've seen all of the steps that the IT organization has already gone through, and why you can trust me when I'm telling you that. So that's why I really love the tabletop exercises, because you can hit pause on any one of the specific scenarios and you can dive in and you can really replicate what that's going to look like in a real environment.

Speaker 3: 24:29

When we kick things off. We originally identified as an automated tabletop solution for that exact reason you know some of the generative AI, you know. Just to iterate and echo what you're saying, we've recently adapted more of an identification of exercise resilience, because the whole point of these tabletop exercises is a proactive and a practiced and a learned behavior leading up to the event. But you know you nailed it Like the real world scenario on the response side is what's most important is can we accessibly access that coverage and do we know how to execute it in the event of a real world, uh, incident? And you know I mentioned kind of teasing our newest product.

Speaker 3: 25:13

You know that we're calling pulse and I mentioned an action catalog and that's exactly what we're trying to do, eric, is we're trying to. We're trying to associate the actions that one might have practiced in a tabletop exercise and make those readily available in the event of an incident. So if we can categorically take practiced, simulated behaviors, responses, actions, systems, suppliers, and almost build in conjunction with that ontology like a master spreadsheet of approved actions that an organization might take, and I'm talking down to the granular level grab the wheelbarrow, throw the servers on there and go out in the earthquake. If we can categorically have those things organized, then when it does come time to respond, you don't have to think twice, even though you have practiced it. You've got those readily available at your fingertips and that's what we're really going with our newest product, Ups.

Speaker 4: 26:08

But Pulse and I think that tabletop exercise and maybe that's what you're talking about in your new product set where people can simulate those things, where they can go and say, ok, you know, this is what is happening. Here is the scenario. Let's just iterate on. What are all of the things that we're going to face? What are they going to tell us that we can do or you know we can't do? Let's bring in some of those third party, realistic, real world scenarios where we have a serious Microsoft issue.

Speaker 4: 26:42

We're going to call Microsoft, we're going to open a SEV1. Microsoft's not going to jump on the phone right then and solve our issue right. It's going to get passed around, it's going to get escalated. They're going to want to know if we have 24-7 support and all of this other nonsense before they even engage with us on this SEV1. So we have to really be thinking of, in the heat of the moment, how is a scenario where we need third party help? Can we even get it? And if we can't, what are some of the things that we could be thinking about doing rather than just waiting and saying oh, we have a SEV1 with Microsoft, you know they're going to come in and solve all of our problems when, in practice, we know that that's far from the case Exactly, and that's really why we're going to come in and solve all of our problems when, in practice, we know that that's far from the case Exactly, and that's really why we're trying to spin tabletops on his head a little bit with our newest product.

Speaker 3: 27:29

So imagine having a playbook that's prescribed in place of approved actions that you, as a CISO, allows your organization or third parties on your behalf to execute in the event of an incident. We've got softwares in place for these things that can automatically make decisions and create tickets and execute accordingly. We've got individuals. You know there's organizational roles and responsibilities that fall into that. It's a fairly dynamic process, but if you can categorically have those identified, rather than starting with the tabletop and then moving to approved actions, we're flipping it on its head with the newest product, which is let's start with how you'd actually solve the problem.

Speaker 3: 28:07

Let's start with the moving truck and throwing the servers in there, and then we can mitigate the gaps after. And by doing that we are now using, with the help of AI built in the product and the ontology that makes it subjective, we are now able to take a scenario and test it hundreds of times with the software in between these engagements. So when you show up to a tabletop exercise that might be testing a business continuity plan annually or an emergency response plan or an incident response plan. Every 90 days you're showing up with the most updated version of that action catalog of solutions that you might take on behalf of your organization and if there are gaps or fine-tuning that you need to do as a mid-enterprise or an enterprise org, you can basically say that to a degree of certainty. We've tested this a hundred simulated times and now we brought it to the finish line on exactly how we want to perform on it. So you are now far more prepared than just running this once every 90 days or once every 12 months.

Speaker 1: 29:09

I can really relate to that. Growing up in a remote part of Minnesota, the North Shore kind of had to be thinking on our feet and finding ways to solve problems with what we had the resources available to us in that moment because we couldn't just order something on Amazon and is available to us in that moment because we couldn't just order something on Amazon and I was two hours away from a bigger city. So I think that is kind of translated into my professional life. But also I think that's how we view things at IT Audit Labs too. It's just like an overall culture of getting things done and it sounds like that applies to Opsbook as well and you can kind of bake some of that stuff into the inputs, am I correct?

Speaker 3: 29:47

That's absolutely right. Yeah, and the beauty of it is that if we're partnering with an IT audit labs or a third party consultant or a VC, so we've really designed the system to keep that stuff in mind. So whether it's an organization or a consultant in a smaller organization, it's really coming in to help. You know, those inputs are important for the subject matter experts, but if we can test them at scale, even for smaller organizations, then we're now decreasing response times. You know, we're strengthening team cohesion at smaller organizations with small teams. We're strengthening team cohesion at smaller organizations with small teams and we're streamlining the relationship for third parties like IT Audit Labs or consultants on the side to effectively come in and say I can now make your smaller organization operate like an enterprise organization with a tool like this in place.

Speaker 1: 30:42

I know we work a lot with the sled in that space, sled space and I just was curious if Eric had kind of a go-to like monkey wrench you might throw into a tabletop exercise to kind of get the people to think on their feet or create a culture of problem solving. And then maybe we could get Cody to even follow that up for how the ops book might approach something like that. As we talk about macro and micro, is there kind of a go-to monkey wrench you like to throw into a pen test or, sorry, into a tabletop exercise that kind of gets people to think on their feet?

Speaker 4: 31:10

We like to engage with the person who is sponsoring the exercise and really understand what it is that they want to get out of that exercise. Right, is it more on the technology side? Is it more on the leadership side? Is it more on the leadership side? Is it more just on the visibility side? So certainly we'll come up with a scenario based on what that person is looking for.

Speaker 4: 31:34

But the question that we always like to ask maybe it's the the monkey wrench is who gets to push the button Right and at the end of the day, when the when, when the scenario is going on or the real life scenario is happening and there's something that will be impactful to the business, where you're maybe taking some some very critical systems offline to resolve an issue, or you know you have to make that call to do something that is largely impactful, who is the one person that can make that decision? And you know, sometimes we hear it's well, it's like a group of people and we really try to drive down, like who is going to push that button when the time comes? And that's hard for organizations to answer a lot of the time.

Speaker 3: 32:34

The one that seems to be tested the most is obviously ransomware, but what they don't include in that typically is insider threat. They don't include in that typically is insider threat. I mean, it's just, it's one of the ones that every time we see an inject in a tabletop exercise thrown in with an insider threat, nobody seems to learn how to respond or know how to respond, and it's almost like there's a cultural offense to. Even in a hypothetical simulated scenario in ops book, how could I possibly imagine that John who's in the cubicle next to me could possibly be the reason that we're being attacked right now? That's always a fun one to throw at people. The responses seem to go you know just every which way under Sunday, but it also is commonly identified as a gap and a great thing to test whether it's a ransomware scenario or just an insider threat by itself.

Speaker 3: 33:26

The second one that's always been fun and I think this is relatively common knowledge in all of cybersecurity and even physical security is if you're getting attacked by a threat vector or a hacker.

Speaker 3: 33:38

For example, they've had access to your system far longer than yesterday, for example, they've had access to your system far longer than yesterday, and when we see curveballs or injects that are thrown in those scenarios around, what happens when you have updated playbooks, but so does the hacker? They have access to your playbooks. How do you respond when your playbooks are now null and void in totality? You cannot use any of them, and so when we throw that inject, I think it dawns on a lot of mature organizations that even are testing these exercises on a reoccurring basis. They go oh crap, we don't have a plan B for these scenarios. And if we do follow the script of these playbooks or these run books in the event of an incident, he knows my moves minutes, hours before I take it right. So I think having some contingency plans in place is always a fun one for us to discover in some of these exercises.

Speaker 4: 34:32

I like that you brought that up, cody, because it really articulates how organizations should be treating and drilling the playbooks where it's not really a script, and I think we saw that with some of the more popular tv shows um in in the late 90s, like I think it was maybe friends and and seinfeld.

Speaker 4: 34:55

I think those are the two examples where they weren't necessarily scripted, where the the scene was written and the actors were given the general description of the scene, but the actual words that they used were open for the actors to interpret, to convey the message of the scene, versus reading and memorizing verbatim. Here is the exact script. I'm going to say this. This person is going to say that verbatim. Here is the exact script. I'm going to say this. This person's going to say that Because in a real world scenario you can never drill exactly what's going to happen. You mentioned the insider threat. There could be an insider threat piece. There could be a person who is critical to the success chain, is sick or out on vacation or whatever that is. But if the organization is drilling the actual context and not exactly the steps in the playbook, I think they'll be more successful, and it sounds like that's what OpsBook can help them do.

Speaker 3: 35:53

Yeah, I'll make two quick comments on that. I'm a baseball guy, love the captain. I talked to a guy that's a Bo Sox fan today but I love Derek Jeter and I'm not a diehard New York guy but I love the cap and in his retirement he really said it best for a baseball analogy. That I think aligns really well with cybersecurity and some of these resilience plans. As he said, I've simulated every potential play that might present itself to me before the pitch is ever thrown potential play that might present itself to me before the pitch is ever thrown and I think we really try and take that mentality with the action catalog and our new product to be able to say why should tabletops be a static engagement?

Speaker 3: 36:35

Why should they not be constantly simulated in real time for enterprise organizations? So in the event that an inject does happen, where somebody has access to my most updated playbook that I'm housing in my GRC or housing in a third-party system, I can log into OpsBook and immediately have the most iterative updated version of the solutions, the steps and the actions that I would take place in the event of this breach. Because my process, my people, my onboarding, my ticketing system everything's changed in the last 14 days anyways. So why would I be using a 14 day old playbook when I can use a two hour old one? Why go to battle with medieval armor and a long sword when you're playing a war that's fought with drones? You know what I mean. You really got to step up to the modern day when it comes to resilience, and that's what we're trying to do with our newest product, for sure.

Speaker 1: 37:24

Well, thank you so much for your time today, cody. We've been talking to Cody Sullivan from OpsBook. My name is Joshua Schmidt, co-host and producer. I've been joined by Eric Brown and Nick Mellon from IT Audit Labs and have a great day. We publish episodes every other Monday. We're on Spotify, youtube, amazon, apple you name it. So wherever you find your podcast, give us a subscribe, a follow and a comment and a review.

Speaker 4: 37:48

If you have the time. Thanks a lot for listening. You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact or all. Our security control assessments rank the level of maturity relative to the size of your organization, thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill. Cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.