Tabletop Training: Bridging the Local Government Cybersecurity Skills Gap
Just because local government IT departments are underfunded doesn't mean they can't prepare for the next cybersecurity breach.
It hardly bears repeating at this point that local governments are prime targets for cyber attacks. Underfunded IT departments working with outdated infrastructure and legacy software systems are sitting ducks for hackers who are only getting savvier by the day.
And as GovTech reported back in June, there is a serious cybersecurity skills gap happening in local government IT departments across the country.
This isn't an indictment of the IT professionals who go into public service; the cybersecurity skills gap is an unpleasant reality for all sectors, both public and private.
But fortunately, says Maria Barsallo Lynch of the Harvard Kennedy School, this is not an insurmountable problem.
You can gain literacy in this space," she told a panel at the Route Fifty Cybersecurity Road Show recently. It just takes a culture that prioritizes security and creates ongoing opportunities for skills development.
Tabletop Cybersecurity Simulations
As the Washington State Office of Cybersecurity explains, "a quick and easy way to help prepare your team [for cybersecurity incidents] is to hold short 15 minute tabletop exercises every month."
These exercises not only allow your team to walk through hypothetical incidents in a low-stress environment, but they also allow them to address the following questions before the next security breach:
- Does your agency have a Cybersecurity Incidence Response Plan?
- Are there any compliance requirements your team must adhere to? (PCI-DSS, HIPAA, FISMA, IRS or Sarbanes-Oxley)
- Who should you notify, both internally and externally, in the case of an incident?
- Do you have a back-up point of contact if the manager who handles cybersecurity is unavailable?
- What are the resources available to your team to help with the response?
- Who do you contact if more resources are needed?
Designing an Effective Tabletop Training Session
While IT departments can access sample training scenarios from other organizations -- many of which we've included below -- the best way to prepare, according to security firm Red Canary, is to design these exercises yourself. That way you can tailor them to the specific needs of your agency.
But there are, of course, commonalities that the facilitator (or Gamemaster) should keep in mind.
The best scenarios present enough information and clues that the team is able to drive the story forward," writes Kyle Rainey on the Red Canary blog. "And don’t feel you must limit your exercise to one topic; some of the most interesting exercises might chain together a number of these topics."
Review and download six exercises from the Center for Internet Security: