[Navy blue CAI "We power the possible" logo appears on screen with white background, with www.cai.io below in black.]
[Title slide. The slide title reads: "Connected and Protected: The Importance of Regional Cyber Tabletop Exercises." Above the title in smaller teal text reads: "A NACo Webinar". Near the bottom of the slide, two logos are aligned horizontally. On the left under text that reads "CAI is a sponsor of" features the National Association of Counties logo, and on the right features the navy blue CAI logo with tagline "We power the possible".]
[The slide title in bold white font reads: "Connected and Protected: The Importance of Regional Cyber Tabletop Exercises". Below the title, the date "March 13, 2025" is displayed in bold white font. The background picture features a series of transposed lines and numerical data, indicating programming code or data streams. The name "Rita Reynolds" appears in the top right corner of the slide, alongside a photo of a talking head, indicating the speaker.]
00:00:08 - 00:00:29
Rita Reynolds
Today's presentation and fireside chat is on being connected and protected and how important these regional cyber tabletop exercises are. It's a little bit different than what some of our quarterly simulations that we've been doing over the past five years. This is a webinar focused on a regional approach.
[The slide title is "Speakers". Below the title, three sections are lined up horizontally in the center of the slide. On the left, the first section includes an image of Adam Frumkin with text: "Adam Frumbkin, Chief Information Officer, Franklin County Data Center, Ohio". To the right of that is an image of Sean Ware with text: "Sean Ware, Chief Information Officer, City of Cincinnati, Ohio". On the right side, is an image of Rex Johnson with text: "Rex Johnson, Executive Director, Cybersecurity Consulting, CAI".]
00:00:30 - 00:01:14
Rita
Do now is introduce our speakers, our panelists. So first we'll go right to left. Rex Johnson, who's the executive director of the cybersecurity consulting for CAI, is going to be the moderator of the panel today. And we also have Sean Ware, who is the chief information officer from the city of Cincinnati in Ohio, and then his neighbor, Adam Frumkin, who is the chief information officer for the Franklin County Data Center in Ohio as well. Great individuals and I know two of the three fairly well. So what I want to do now is turn this over to Rex. So Rex, please talk to us about regional cyber simulations.
[Three speakers appear on the screen. Rex Johnson in the top left corner, Adam Frumkin in the top right corner, and Sean Ware in bottom center of the screen.]
00:01:15 - 00:02:16
Rex Johnson
Absolutely. Thanks a lot. I appreciate being here, Rita. We're going to have a really great discussion today. So one thing to help level set a tabletop exercise. This is a role-playing event that involves a scenario that prepares and evaluates how an organization is going to respond to a real-world emergency like a cyber attack. And these exercises are conducted in a discussion like format, typically at a table with the, hence the name and participants from various groups and departments and team members usually come together and work through this hypothetical scenario using the roles that they are generally in. For those of you who grew up playing Dungeons & Dragons, this is exactly what this is. My mom wondered if I would ever get any benefit out of playing the game. Well, running tabletops has been that. So we're going to go through that, we're going to talk about what that means. But let's go ahead and talk to our panel experts, Adam and Sean, if you guys want to take a moment to introduce yourself, we'll jump into questions.
00:02:17 - 00:02:32
Adam Frumkin
All right, well thanks Rex. Adam Frumkin. I am the Chief Information Officer for the Frank County Data Center in Frank County, Ohio, and we represent 6,800 employees and 1.4 million residents in the county. So Sean.
00:02:33 - 00:02:49
Sean Ware
Thanks Adam. Sean Ware, from the city of Cincinnati. I'm the CIO for the city, and our department covers most of the enterprise functions in regards to information technology.
00:02:50 - 00:02:59
Rex
Okay. We talked a little bit of what tabletop means. What does a regional tabletop exercise mean in your space? Sean, maybe you want to go first.
00:03:00 - 00:03:53
Sean
So obviously we've had discussions and from my experience and with the city, we're more at the crawl stage of the crawl, run, walk as far as tabletop exercises. We've done a couple and we are looking to do more and be more consistent in that practice. Regional for us as a city has been more just city in the county that we sit in, so we've had limited exposure thus far, but the plan is to be more inclusive even with Northern Kentucky to include the metropolitan area.
00:03:54 - 00:03:57
Rex
Adam, your thoughts on a regional, what that means in a tabletop?
00:03:58 - 00:04:24
Adam
For me it goes a little bit expanded at a county level. I'm not just looking at the county, I'm kind of looking and what I'm trying to look at is municipalities that are inside the county and how do we reach out to them to help them with tabletops because tabletops are a great way to find gaps. And then see how do you solve for the gaps so that when an emergency happens, you can then have a plan to go forward.
00:04:25 - 00:05:07
Rex
I think we can see as a common thread here that a region is typically folks who may not necessarily work together on a daily basis but have some dependencies on each other. I've been involved in tabletops that have been county-wide that they brought in the police department, the fire department, or they brought in folks from CISA actually to participate. And that's a very important thing because we may have an idea of how our incident response plan works and how we're exercise it, but then now we've got other players that we're relying on. Can you think about some of the unique challenges that may exist as well as benefits as conducting a regional tabletop as you defined?
00:05:08 - 00:06:04
Adam
Yeah. One of the major things honestly is people tend to not want to talk. You bring everybody in a room and they feel like they're not allowed or they shouldn't talk because they shouldn't share what's going on in their specific government municipality or government's perspective. And what they do is they don't want to share because they're afraid to give up their plan. When reality under the law, we're all allowed to share everything as an intergovernmental exchange and it's protected in that perspective as well. So we should be sharing and looking at building best practices so that we all get better versus I know there are people that call it turtling up. There's clamming up, there's all kinds of things you could say about this, but reality is we're a group of professionals that need to work together and should work together and should be sharing our best practices so that we can all get better at what we do.
00:06:05 - 00:06:18
Rex
I think that's a great point. Now Sean, you mentioned you're in the crawl stage now, so obviously you're going to be getting to that, but as you think about that, what are some of the things that you're going to see possibly as you start implementing these tabletops?
00:06:19 - 00:07:36
Sean
I think the coordination aspect of it, just getting the various related entities involved in the process. For us being early on in this, maturing in this space, it's one of those things you just got to practice. And to Adam's point I think, and I'm assuming I'm not quite sure how many you've had thus far, but as they kind of get the experience, if they open up a little bit more and understanding about the process and the benefits that come with it. Of course that being better coordination and just all ships will rise when you share the practices. I just was thinking as we were speaking, as far as this dynamic, Adam, you're a county and which multiple cities exist and with us being a city, we don't have that same dynamic. But the issue where again, when we talk about boats, not all boats within your county, sea of counties not the same and don't have the same resources to do some of the things can be done. So finding ways to collaborate and raise the level of the security.
00:07:37 - 00:08:05
Adam
I think that from my perspective, whether it's a city, county or whatever, we're a band of brothers and we have to come together and I say that loosely because I'm not saying that we're from that perspective, but we all have to come together as individual entities and band together and say, "What are the that we need to do? How are we find those gaps? Where do we go next?" And then learn from each other and that's the key. We cannot be afraid to learn from one another.
00:08:06 - 00:08:56
Rex
That's an excellent point. I remember a tabletop I ran for a transportation company, a major critical infrastructure, transportation, and when we started with the ransomware incident as we were going through first thing the guy says who runs IT, "We're going to shut off the internet." I'm like, "Okay, now let's talk about what that impact does." So it was really good. They've never really had a chance to think about what really happens. They had an incident response plan written, but they really didn't have the opportunity. So if you think about this from a regional standpoint, everyone's got their own plan. Sean, you got yours at the city and now you've got to look at working across other things. What do you think this will enhance better cybersecurity measures as regions have to interconnect and rely on each other?
00:08:57 - 00:09:40
Sean
Again, being in the early stages, what I think right away is we do have integrations or how we work with different agencies and integration points and what we actually call it here between the city and the county that is our closest partner. But we're different agencies, we're different entities and getting to the appropriate level so that we both benefit and or don't arm each other going to be very important. So that collaboration is going to be key.
00:09:41 - 00:09:43
Rex
Thoughts on that, Adam?
00:09:44 - 00:10:38
Adam
I think part of this, I totally agree with Sean. I think we have to look at this from a perspective of, as I said earlier, building that best of breed security cybersecurity plan. But the other piece of this is how we bring in non-IT people. So bringing in the electeds or others that are around, or even the city managers or county administrators or whatever they may be, or deputy county administrators or deputy cities. Or even the finance people, bringing people in to understand a tabletop is not a tabletop unless everyone's at the table and understands what they have and what their role play is in each one of them. Going back to the Dungeons & Dragons perspective, but when you role play that out, it's, "What do I have to do and what do I not know how to do?"
00:10:39 - 00:11:17
Adam
And for instance, you said if you lose the internet, what are you going to do? Well, what works at this point and how do we work around them? It takes me back to those days of I did an exercise for a retailer and they lost the internet connection. They said, "Well, we have to shut down. We can't take credit cards." I'm like, "There's a little thing underneath the counter that goes like this and you can swipe the card and it's on a piece of paper." And no one knew how to do it and they didn't even have the slips. And that's not being prepared. And that's what we're talking about is how can we create and continue with continuity of government no matter what may happen.
00:11:18 - 00:12:20
Rex
Yeah, I think that's a very valuable point. You talk about these in the culture of cybersecurity preparedness. So from the perspective of bringing everybody to the table, one of the things it's always great, I mean a lot of times these are done by an IT staff, but bring legal in, bring public affairs or public information in. Because when things happen, especially if you're a municipality or state of local government, you've got a cyber attack, public's looking at you. And they're going to ask questions. But I'll tell you the head of IT is not the person to talk to the media. And the thing is, if this does happen, who is going to talk to the media and are they prepared for that? Just as you talked about the credit cards. Definitely in building this culture of cybersecurity preparedness, it goes beyond just the people that think about cybersecurity every day.
00:12:21 - 00:12:44
Adam
Having a PIO at the table having legal at the table. You brought up a good point earlier, Rex, one of our tabletops we did recently, we had CISA and EMA and Homeland Security at the table. Bring the right people and when you start bringing other people in the electeds and others start taking notice, "Should I be there or not?" And then invite them and say, "Yeah, you need to be here."
00:12:45 - 00:12:50
Rex
Yeah. Sean, any thoughts before we jump into talking about some real-life examples?
00:12:51 - 00:13:12
Sean
No, I think establishing that culture is crucial for it to be sustainable as aside from just a one-off that's done once a year or whatever frequency, and I guess we get into the real-life examples that all builds into that.
00:13:13 - 00:13:24
Rex
And on that, can you guys share a specific example of a tabletop that you've participated in? Maybe the impact good or bad that you got out of that?
00:13:25 - 00:14:30
Sean
I can start that one. I know Adam has a lot of experience relative. So we did do a regional one with EMA down here, and there were some challenges where, as far as the coordination piece where not everyone was at the table, that should have been. So that was definitely a lesson learned. And I think part of that is, and this is me speculating that, "Oh, well that's not related, that's not my direct lane." Or, "We don't have time for that, we're too busy doing whatever else." But you have to, in this case, sharpen the saw as far as operations in this particular space is one that is not exercise much. We read articles, even take some training, but it's like learning to swim without actually getting into water or any real practice. It's not going to turn out too well when you actually get thrown in the pool.
00:14:31 - 00:15:16
Sean
So yeah, the real-world experience, we learned a lot about the business continuity issues that we didn't have and the lack of a communication or set communication plan. And so the need for structure around the whole piece was highlighted, but we did have some strengths so it wasn't all bad. And so it was a good thing to see we're doing some things well and we need to improve in others, which is probably going to be the case for most folks that go through this process.
00:15:17 - 00:15:18
Rex
Adam's thoughts on that too?
00:15:19 - 00:16:11
Adam
Yeah, so I think when you go into a tabletop, the goal is not to be, I'm going to say it this way, not to be successful. Your goal is to find what's good, what do you have, what are you missing? Other words, the gaps, and then what are the things you just don't know? You can find the gaps with the right people in the room, but then if you don't have certain other people in the room, you may be missing other gaps or thoughts. And so a recent tabletop we did was in preparation for the presidential election and we did it with our board of elections and we did it in a way where we brought the board of elections in and then we also included CISA, we included the Homeland Security and EMA. We included both the PIO for board of elections, but we also involved the one from the county as well.
00:16:12 - 00:16:49
Adam
And the one thing that we found in all this was, do we have set talking points that we can talk to that can be standard talking points, but then which ones can we use that we can morph on the fly, but it has a start to it. Things like that. And then what we did was we recognized that when we did the first one that, "Hey, we have vendors that are involved in all this and so let's do a tabletop with the vendors involved as well." So we did a secondary tabletop that had all the vendors in it and the specific people from the staff and then also again CISA and Homeland.
00:16:50 - 00:17:25
Adam
And we brought them all in a room and we started talking about, "Okay, what happens if?" Because it could be, we might be looking at a situation where it may be on us, but what if it's on a vendor and the vendor is supposed to be presenting or giving us a service that now we don't have and how does that now attribute to the issue that we have at hand? And how are we going to manage or respond, and I'm going to say respond, not react, respond to the situation, whether it's internal or external at that point. So we learned a lot from that perspective.
00:17:26 - 00:18:13
Rex
I think that's an excellent point. Some of the tabletops that I've run, I'd run into organizations that would say, "The FBI says don't pay the ransom, we're never going to pay the ransom." But you get to a point with when you realize you have cyber insurance, you have negotiators, you get that ransom down to something that really is painful, but it's not that painful. But compared to getting back online and it kind of shifts the mindset from the hard and fast, "These are the way things have to be", to realizing that things are a little bit more fluid. And you've mentioned some examples as well as you've gone through these exercises, how have they influenced your own cybersecurity and strategy and posture within your own organizations?
00:18:14 - 00:18:15
Adam
Sean, you want to go first?
00:18:15 - 00:18:21
Sean
Sure. We really start checking our back-up support.
00:18:22 - 00:18:23
Rex
That's a great one.
00:18:24 - 00:19:22
Sean
And making sure that our level to recover or our ability to recover is what we think it should be, which should be done anyway as far as making sure that you can restore. But also to look more with a microscopic lens as far as, okay, you got to really walk through those steps because you can, "Oh yeah, we have backups", but there's that one piece that either it was implemented at some point and it wasn't reevaluated. So continue kind of walking through that. And even in our simulations, it's not a real-world, there's always something that we can't really simulate that aspect of it. And so it's one of those things you really don't know until you really have to go through it, but you try to simulate as best possible. That's the biggest thing. The backup and recovery.
00:19:23 - 00:19:24
Rex
That's a great one.
00:19:25 - 00:19:44
Adam
Yeah, a hundred percent agree on immutable backups and making sure you have something that you can fall back to because if you're like me and I'm going to say it this way, I'm going to very careful how I say this. If someone was in my environment and I'm rebuilding from a backup, can I trust my environment completely or not?
00:19:45 - 00:20:36
Adam
And so when I start thinking about cyber or cyber strategy and the posture where we are, it's depending on what it is and how and where it hit. What's my go-to plan? So is it bare metal, is it recovery? Where is it? And I think that's what part of what we don't think about and we don't talk about on a regular basis, especially upstream to those that we report to, those that lead the city or the county or the state is, "Hey, you realize that there could be a lingering back door somewhere and I need to be able to find that or I need to rebuild to get us back so that I know that without a doubt we are where we need to be and this may or may not happen again." And never going to say it's not because you can't.
00:20:37 - 00:21:20
Adam
But the point is what's our posture? And we built a strategy around it. We built a five-year roadmap to how we build through our environment, how we went to or in process of going to zero trust and guiding ourselves through that point. And then each time we go through the cyber insurance piece is telling them what we added to our environment or what we changed to help them understand that we are, this is not a passive perspective, but cybersecurity and going through tabletops and doing these things, cybersecurity is an active part of technology, not a passive part of technology. So we have to be active and tabletops is one of those ways of making us active.
00:21:21 - 00:22:09
Rex
And that's a great way to put it. I mean that's a way to kind of test what to do. It's a test your incident response plan. And I can tell you every tabletop that I've hosted for someone, they've always walked away with a change in their incident response plan or their procedures, every time. So you said this earlier, tabletop exercise is not something you necessarily win and you're not playing to win. You're playing there to see what to happen when it's worst case scenario. And there's just a number of things to think about that you talk about the backups and how well you're right, there's been backups done, but the hackers were there for six months before and so when they did the backups, the hackers stayed there.
00:22:10 - 00:22:44
Rex
So a lot of things you got to answer there and having folks who've been through that and engaging the right digital forensics to make sure they're eradicated from your, these are things that build upon. Now that you've done and thought about these, let's talk about the collaboration with the other organizations. Now, what improvements have you done in being able to collaborate with the other organizations and partners as a result of participating in these exercises?
00:22:45 - 00:23:20
Sean
I'll start, since we're the more junior in the process. I have regular meetings on the county side just to touch base, which again has other benefits as well. And we're still working on improving that communication for when there are incidents, not necessarily of a security nature, but like I said, because we have an integration point. We're improving our communication channels, who to call when and just opening the lines of communications.
00:23:21 - 00:24:24
Adam
Yeah, I can't change that or say anything different than what Sean said, other than what you create when you're creating those open lines of communication is you're creating a, I'll say a regional forum or a regional team of people that as you go through things, they're the people you share things with. They're the team that you bounce or ideas off of and it kind of becomes a working unit so that when things happen or when someone's asking an idea, it transforms beyond just this piece, but you actually build relationships. And relationships last longer so that way when something comes up, it's not just about a cybersecurity thing, it's whatever it may be, but we all know it all leads back to cybersecurity because whatever we do in a technology perspective, we have to protect. So building those relationships, building a team of people that you can rely on and there's a sense of camaraderie in that.
00:24:25 - 00:24:59
Adam
But the other piece of it is if you're all working together in collaboration, it doesn't matter if that regional group, whether I'm going to the county administrator or Sean, you're going to the city manager or the mayor. And when we do that, we say, "We've been working on this as a team and this is who's all involved." And it's not just one person coming, it's a group of individuals that are trusted in their positions that are bringing something forth to make a difference because it's what we have to do and as a fiduciary that's what our responsibility is.
00:25:00 - 00:25:18
Rex
That's definitely a great point. I kind of want to go back to something you said earlier, Adam. You were talking about sharing your tabletop experiences with your insurance broker. You kind of touched on that a little bit. Maybe you could tell us a little bit more of how did they respond? Did it impact your risk profile? Were what came out of that?
00:25:19 - 00:26:14
Adam
So the last time we did that, we shared it actually during the reinsurance process that we have to go through every year. And the additional 600, I joke, 600 questions we got added to the list and we said, "So can we share with you what we're doing? We will answer all your questions, but can we share with what we're doing that we may feel might be important to you to know that?" And it goes back to what I said earlier, it's that active perspective from a cyber perspective, it's not a passive environment. We're actually actively trying to figure out and look at different scenarios that may be something that would be coming at us kind of like a threat hunter type perspective. We're threat hunting and saying here are the different things that could be coming at our direction and watching the threat. I'm going to say this, the threat of the week that is going around the country and what people may be having.
00:26:15 - 00:27:19
Adam
And I'm going to say this, Sean and I are two C's of the three C's in Ohio and the third C had an incident about a week and a half ago and the first thing I did was, "Hey, what can we do to help? And is there anything I can... ". And watching it, "What can I learn from it? And then can I test for that?" And then share that with our cyber insurance company that says, "Hey, we know these are real incidents and we're testing for those and taking those into consideration because we can hypothetical all day long, but the best hypothetical is a real environment just in yours." So that's how we kind of share with our insurance company. They're actually very, the broker is excited about it when we bring to them, "Here's what we've done that's above and beyond just answering the questionnaire." So it helps them find the right insurance for us because there are companies out there that are looking for active participation in protection. So that's the good thing.
00:27:20 - 00:27:23
Rex
Sean, have you done anything similar? Have you shared this with your insurance?
00:27:24 - 00:28:06
Sean
We're working in that process now. I did want to make a comment. I don't know if the threat actors actively don't want us to share information among ourselves, but it's to their benefit if we don't, stay isolated because then we don't learn from what's happening out there in the field. So if anything, that should be a motivation to have regional tabletop exercises and to participate in forums and just generally communicate with your peers and neighbors to make sure you don't fall for the same.
00:28:07 - 00:29:11
Rex
No, it's great lessons learned. Great lessons learned there. So one thing I do know about the threat actors is they also like to collaborate among themselves and they are, when I brought up the subject of pay the ransom, don't pay the ransom. People like, "Oh no, you're just going to encourage terrorists." Well, if you pull that onion back, basically most state sponsored threat actors that are attacking you are doing it as a business and they are looking for a payday. So I've had situations where ransom in real-world situations where ransom has been talked down significantly because they want their payday and quite frankly if a certain threat actor group is known for not giving you the key after being paid, their credit is going to be lost. And so they're kind of on the hook that they need to honor that otherwise people are not going to pay the ransom when they attack them next.
00:29:12 - 00:30:16
Rex
So there's a lot of interesting collaboration between these groups as they work together to attack us. It's kind of scary from that perspective, but I think your point there, Sean and Adam talking about collaboration working together are very important because threat actors are doing that as well and we're not going to do ourselves any good by kind of setting back. And cyber insurance been something that's evolved quite a bit over the years. I remember there was a lot of questions about it at the beginning of how to do it. It seemed like everybody, it was like selling an auto policy to a teenager with bad grades. Everybody was that and then there was no real actuarial tables and then all these things came out, but now we're kind of getting an idea about it where we can figure out the risk and help transfer that. And as you share that, of course you mentioned, Adam, that they were excited about that because you're a lower risk now because you're sharing your plan there.
00:30:17 - 00:30:46
Rex
Let's talk a little bit about your tabletops that you had. You talked about inviting different people to that and you talked about CISA, you talked about other organizations. As you got these tabletops going, how did you ensure you had all the relevant stakeholders, both internal and from a regional's perspective there? Either one wants to hop on that one first.
00:30:47 - 00:31:41
Adam
I would say you never know if you have everybody, the right people in the room. So you're in the room and something comes up and goes, "Should have invited that person too." Obviously start with the people you're working with. Start with if you can bring the, I'm going to say it this way, I know it's not going to be popular, but bring the fed, bring the state, bring Homeland Security, bring emergency management, have them be in the room and explain, "Hey, we want you there. We want to hear from you during this process and people need to hear what's going on." We've toyed with asking the FBI to come to a tabletop and share with some of the things that they're seeing and hearing because obviously a lot of times we'll get an email or a request that says, "Hey, can you keep an eye on this? It's something we're seeing." That always makes your spidey senses go up when someone reaches out to you and says, "We're seeing some actors going on."
00:31:42 - 00:32:08
Adam
So having different people like that in the room along with everybody else, it brings not only credibility but then it also starts opening up other doors or gaps that we may find. I can't say that I've successfully said that we have everybody, there are all the right people in the room at the right time. So do your best and then sometimes you find out. So the next time got to invite this person too.
00:32:09 - 00:32:13
Rex
Sean is you're starting out on this, what are your thoughts on making sure you have the right folks?
00:32:14 - 00:32:55
Sean
So in the one that we've actually organized with the vendor, it was just us. It was more of an internal, "Hey, how are we doing in this aspect." And going through the scenarios and the plan is to then increase that to our other departments, the other stakeholders, and then we move into the regional, including the county. So again, we're in the beginnings of that process, but initially we just started internally looked at how our operations compare going through those exercises.
00:32:56 - 00:33:31
Rex
In some cases I've seen it's required a little bit of executive, definitely requires executive support and I had a tabletop that I ran that the scenario was payroll was impacted, everybody wants to get paid. So the folks from HR that were told to be at this were initially sitting there going, "Why do I have to be here? I've got other things to do." And they realized when they had to play in the game, they got a lot more engaged. "Gee, what are we going to do if we can't make payroll? What's our work around? Have we tested that?" Then those kinds of things start to come into mind.
00:33:32 - 00:33:52
Rex
So we've talked about some of the exercises we've done. Now let's talk about, especially now, Sean, as you're preparing these and getting these started, what are some of the first steps counties should take when, an organization should take when they're planning a regional tabletop exercise, what are some things that come to mind?
00:33:53 - 00:34:38
Sean
First you have to identify who you would like at the table and as Adam said, from experience, when you go through those exercises and a question's asked and you're like, "Wait a minute, we don't have someone to answer that question." It will work its way out is who else should be there. But you got to do that survey of who do we all interconnect with in any capacity or that may have an impact if they're impacted. There's a lot of layers. We do a lot of things as local government and that means there's a lot of interconnectivity as well. Some not so obvious until something goes wrong.
00:34:39 - 00:34:40
Rex
Adam, anything to add to that?
00:34:41 - 00:35:44
Adam
The only thing I would add to that is understanding, and you brought it up earlier, Rex, how to peel an onion. Is finding the right scenario that you can peel the layers back and get deeper and deeper to find where things are and what we can all learn from it. Having the right people in the room is obviously number one, but I also look at what's the scenario that we're trying to peel back and that kind of sets what and who we want in that room as well, based on the scenario. We could come up with a scenario and have people in the room that go, "I don't even interact with us on a daily basis." So it is setting a scenario and finding a different scenario so that we can not just do a once and done. This is a multiple perspective of learning. And I want to say that carefully is when we do tabletops, the different scenarios give us learning events and our job is to learn from them so that we can put things into practice, to either understand how to head off or how to respond.
00:35:45 - 00:36:50
Rex
I think that's a key point that you bring up there, Adam is the scenario itself, and I've done tabletops that have been primarily technical and they're really more around the technical solution. When Sean was talking about getting those backups and the challenges you have there, and those can get pretty detailed. But then we go up a few levels, then you have questions of now the public, they're asking questions, social media is posting things saying that you're not handling this well and you get into situations there. Well the IT team, as I said is not the folks to talk to the media. You've got folks for that and you've got talking points, you've got leaders that are designated and prepared for these kind of discussions and how do they play out? Do you grant an interview? Do you not grant an interview? So when you think about engaging key stakeholders for successful tabletops, you'd say the scenario might dictate who you invite to the table?
00:36:51 - 00:37:42
Adam
For me it is definitely, but I'll always add a few extra people in just for coverage. So from a perspective of always having a person from legal in there, having someone from the administration there to listen, even if it's a chief of staff or a policy aide or whatever it may be, having someone in the room so they hear it and they go, "Hey, I heard something." And then they take it back and then it opens up questions. My goal with tabletops is to create more questions asked after the tabletop versus all answers. And the reason for that is it leads to other things that says, "Okay, do you understand that that's why we need to put these things in place or why we need this funded." If it's not been funded or things like that.
00:37:43 - 00:38:05
Adam
So it allows us to open doors or windows that necessarily may not have been opened before. So having a few extra people in the room that are listening that ask questions from the outside, help them think, help us think, and then they take it somewhere else to help others understand what's going on and maybe there is something else there that they need to think about.
00:38:06 - 00:38:15
Rex
Sean, from the perspective of the tabletops you're planning to run, how are you identifying who you're going to invite to that tabletop?
00:38:16 - 00:38:21
Sean
I want everyone there. I mean-
00:38:22 - 00:38:23
Rex
Big table.
00:38:23 - 00:39:03
Sean
... it goes to the diversity of thought, right? Because there's always that one person that where the light bulb goes off and they make the connection like, "Wait a minute, what if?" And then it starts that line of questioning that Adam was referring to where there ends up being more questions than were initially answered in the tabletop, but realistically that's not going to happen. Hopefully we can get folks that are open to go through the process and figure out what's in it for them in regards to maintaining their operation. That goes to that business continuity piece.
00:39:04 - 00:39:48
Sean
What happens if not directly the technology that you use is not available, but what happens if a department or agency that supports you cannot do what they normally do? And it could be from a safety perspective or even a health perspective, whatever service, what if you're not getting a service that you depend on to do which you need to do and further down the lines because of technology issue. So again, it's a domino thing. I mean or spider web if you want to think of it that way. There's a lot of interconnectivity there and you have to think more than just one step away, but that's part of building the culture and educating the folks the importance of this.
00:39:49 - 00:40:08
Rex
I have one final question, but I'm going to hold that because we've got some good questions in the chat that I'd like for us to address. Deidre here has asked, "Have we created playbooks for each of the tabletop stuff and do you keep a document used in case these get real?"
00:40:09 - 00:40:41
Adam
So I answered in the chat and the answer is yes, you do keep playbooks, they're a must. It allows you to document all you're doing and what the scenario is, the outcomes, the gaps, and how you corrected for anything that you found during the scenario. But it also allows you to understand if and when that scenario or a similar scenario pops up, you have something that guides you but it also allows you to understand who should be in that room for that type of scenario when that pops up.
00:40:42 - 00:41:00
Rex
That's a good point. And actually some of the playbooks I've used have assigned responsibility to certain tasks level, so that helps you identify who, but that's a great one. Another question that came up, "Well, what are some things the team could do to maximize engagement from all of the stakeholders?"
00:41:01 - 00:41:23
Adam
I call on them during the meeting. I don't let anybody sit quiet. If someone's sitting quiet, I go, "You have something you're thinking about, you got to get it out. "The quietest person in the room is probably the most knowledgeable person in the room whether they realize it or not. And so I call them out.
00:41:24 - 00:41:37
Rex
That's good. Folks are asking about templates. I don't know if that's something, I know there are some templates out there. I know that CISA does have some as well that are out there that can be available for free.
00:41:38 - 00:41:45
Adam
NIST has some templates as well. Rita, do you want to jump in here with our template library and discuss what we have?
00:41:46 - 00:42:45
Rita
Of course. Thank you for that unsolicited try-in, great segue. And as you said, CISA has some templates. Dare I say, MS-ISAC has some templates right now. Hurry up and get them. And the reality is that we at NACO have a tech exchange for our county and for those in the city that are interested in joining, behind the subscription is a library that includes policies and of course job descriptions and great suggestion too to take a look at our security folder and what we have in there. There's some in there for sure, but we also have some other resources that we need to make sure in the template library that talk directly to this point. So we'll follow up with everyone afterwards with information on that in an email.
00:42:46 - 00:43:00
Rita
But I had a question for you all and maybe you elaborated, maybe I just need a little bit more, but talk about roles and responsibilities for me.
[The speaker Rita Reynolds appears in the top left corner of the screen, moving Rex Johnson to the top right corner, Adam Frumkin to the bottom left corner, and Sean Ware to the bottom right corner of the screen.]
00:43:01 - 00:43:26
Rita
I know that you can't necessarily cover every role and responsibility for every situation, but there are definitely some pieces or some standards that are consistent regardless of the type of situation. So if you could talk to that and then I will add some more information about my reference to MS-ISAC shortly. So the questions back to Adam or to Sean?
00:43:27 - 00:43:28
Adam
Let's go to Sean first and then I'll-
00:43:29 - 00:43:35
Sean
Yeah, so general responsibilities in regards to a tabletop, running a tabletop exercise.
00:43:36 - 00:44:11
Rita
Well, just the role. What I'm referring to is in your playbook or in your continuity plan, that's probably the better way to phrase it. What are the roles and responsibilities when a situation actually happens? And you play that out in a tabletop, but there are certain people that need to be involved all the time. And have you identified them and have you identified the backup? I've been in situations where, "Yeah, we have public relations person identified." "Oh, they're out on vacation and they're in another country." So who's the backup?
00:44:12 - 00:45:35
Sean
Yeah, we need to work on that in that area. Without going into a lot of details. Yes, we know who the contact in our department, we have our managers who deal with situations. And to be honest, we've had, I guess you can call them near misses or at least we had to investigate something that it kind of grazed if you will, or it was a, "Hey, this needs to be tightened up", so that it didn't become an issue. So we've gone through the process and it's all hands on deck in regards to our infrastructure folks and across the board myself. And then we alert the administration of what's going on. But when I say we need to work on is that I would like to see us be more or systematic in their approach and so that it is clear whether I'm here or any of the key individuals that already know that are part of the process that we have that who's the alternate, who's the backup. And one of the challenges in our environment, I'm sure it's not much different than others, is that you don't always have a bench.
00:45:36 - 00:45:37
Rex
Right.
00:45:38 - 00:45:39
Rita
True.
00:45:39 - 00:45:39
Adam
Very true.
00:45:39 - 00:45:40
Rex
That's a good point.
00:45:40 - 00:45:56
Sean
So I think documentation to help mitigate that is you also have to have it written down and clear so that whoever it does have to pick up the mantle in that situation, they have something aside from just trying to figure it out on.
00:45:57 - 00:46:50
Adam
One of the things we learned a couple of years ago was, yes, we had the primary, yes, we had the backup, but what we learned was when you're in the art of war, in the midst of it, having the backup in the room with the primary, in case the primary ends up having a situation where they can't be there, the secondary is not stepping in cold and trying to figure out what is going on. And then we spend a lot of time going back and rehashing through it to get them up to speed and it's almost like putting the car in reverse or in park for a few minutes so we can get them up to speed. So what we learned from our situation was make sure the backup's in the room and if there's a tertiary backup that the responsibility of the backup person while they're listening is actually to take notes to share and keep within that group, but also share with their backup that's not in the room.
00:46:51 - 00:47:06
Adam
So we learned a little bit from that that just doing a hot swap does not work because you end up putting everything in park and stopping for a little bit. And they've got to be involved. Sean, you're right.
00:47:07 - 00:47:23
Rita
The other thing I thought about, from a backup perspective and the roles and responsibilities of your cyber insurer because there are resources there that could step in and contacting them when you have a real situation shouldn't be the first time you're contacting them.
00:47:24 - 00:47:42
Rex
That's a good point. As we're coming up on our time, one of the things last question I'd like to ask you both is what advice would you give the counties or organizations that are hesitant to initiate a regional collaboration in cybersecurity?
00:47:43 - 00:48:53
Sean
I'll start. I would say if you've gone through this session and I learned something just going through this process, like I said, I think it's an interesting dynamic. Someone who is or an organization and I'm self-assessing where we are, that are more early on in the maturity around this space and compared to Adam and his organization. I think it's an opportunity, like I said, just by sitting and talking about tabletop exercises, I've learned and have some ideas. And I'll just a quick aside, I've been in conversations with Adam a couple of times thus far and this guy always drops a gem here and there. And so I am trying to emphasize the importance of speaking with folks who have more experience, who have been around the mountain, so to say a couple of times, and that you can learn something and help elevate the level of practice around this.
00:48:54 - 00:49:01
Rex
Adam, what's your advice for folks who are hesitant to do that, share?
00:49:02 - 00:50:04
Adam
Stop overthinking it, pick up the phone and make a phone call or send an email. Honestly, I'm being blunt, but I was going to say give yourself a GIF slap. But see, there's some people that understand that. But reality is if you're not reaching out, you're isolated and isolation is not always a good thing. What happens when, if you think about it, in the old days they had castles and castles had walls and everybody felt they were safe when they were inside the walls. What happens when you run out of food and water? You're not safe anymore. You got to go out. So the best defense is an offense, which is having people that you can reach out to understanding from other people what they're doing. Reach out to your peer, so whether it be another small city or another city or same size, and then reach out to those that you don't know that may be larger than you and have a different perspective.
00:50:05 - 00:51:06
Adam
I'll say I'm very fortunate, I have a really great cyber team that supports me in this and our county, and we look at it as we want to give that information, that wealth of knowledge away. And if someone calls, we're always going to step in and help, but we also sometimes reach out and say, "Hey, what are you doing and what's going on? Because we are concerned." So my perspective is pick someone and call them and ask them what they're doing, but then ask them who they talk to. And that's how you start building these, I'll say these regional forums of, or locality, local forums is, I could think of where Sean is just in Cincinnati or even here Columbus, all the different CIOs or IT directors for all the little municipalities that are around you and around Sean and around me. And the ones I know down there and the ones I know up here and the ones I've gotten to know up in the third C up in Cleveland.
00:51:07 - 00:51:59
Adam
But what about the other 80, what 83 counties and all the municipalities in those are in the state of Ohio, how are they faring? And some of them are a one man, one person show and they need guidance and help as well. Whether they want to ask or not, they should be reaching out. So either what I say is just pick up the phone, pick up an email, send it, use LinkedIn as your friend, find who the CIO is in that group. If it's a county perspective, I'll say this, reach out to Rita. If it's a city perspective, reach out to Doug Robinson at the National League of Cities, but find the people that are around you. And Doug and I know Rita, they'll reach out, they'll give you the names of the people around you and who are members and who they can think of. Just do it. That's my bottom line.
00:52:00 - 00:52:15
Rex
I appreciate that. And again, as a CAI, we're an organization that can help out as well. We do a number of tabletops and have helped organizations, but the collaboration you're talking about is excellent. Well we appreciate your time. And Rita, do you have something?
00:52:16 - 00:53:23
Rita
Yeah, I just want to address Deidre's question about MS-ISAC. A notice went out late yesterday that they are losing, they're being defunded at the federal level and for now the important thing to know is that services will mostly continue as they are CrowdStrike licensing, anyone has that, it's good through 2026. They're doing their best to fly an alternate funding. If you did not get that notice, because I've talked to some folks who did not, we put it on the tech exchange and it's amber, so that means it only goes to local government employees. Reach out to your contact at MS-ISAC and they can send it to you as well. It has a little bit more information in it, but I did want to mention that. We're already looking at what are the options moving forward and talking internally about what does this mean long term. So stay tuned for more. This is pretty fresh off the news.
00:53:24 - 00:53:25
Rex
Excellent. Thanks for that.
00:53:26 - 00:53:26
Rita
All right.
00:53:27 - 00:53:33
Rex
We appreciate everybody's time today and hope you got a lot out of this webinar and thanks again for the partnership, Rita.
[The slide is divided vertically into two sections. The left section features the CAI logo and tagline "We power the possible" in white text. Below, there's a QR code with the instruction "Scan to learn more about us," followed by contact information: Website: "www.cai.io," Email: "inquire@cai.io," Phone: "+1 (888) 824-8111," LinkedIn: "@CAI," and X: "@CAI_Insights". The right section poses the question, "Why choose CAI?", followed by a list of features: "Extensive team experience" with "40+ years serving government and public services," "Proven track record of success" with "Robust portfolio of successful client outcomes," "Committed, dedicated partners" with "Top 25 clients' average partner tenure over 15 years," "Innovative technology vision" with "Leading the conversation on AI and other technologies," and "Unmatched customer service" with "Great teams are built with great people," each accompanied by illustrative icons.]
00:53:34 - 00:53:47
Rita
Yeah, and I'm going to just share your information real quickly. Hopefully everyone can see the CAI slide with the QR code. If you have a minute and want to download that, feel free to do.
[Blue CAI "We power the possible" logo appears in middle of screen. Company website www.cai.io appears at the bottom center of the screen.]
[{"asset_name":"www.cai.io","asset_url":"https:\/\/www.cai.io","asset_type_code":"site"},{"asset_name":"Resources","asset_url":"https:\/\/www.cai.io\/resources","asset_type_code":"page_redirect"},{"asset_name":"Events and Webinars","asset_url":"https:\/\/www.cai.io\/resources\/events-and-webinars","asset_type_code":"page_standard"},{"asset_name":"Connected and protected: The importance of regional cyber tabletop exercises","asset_url":"https:\/\/www.cai.io\/resources\/events-and-webinars\/connected-and-protected-the-importance-of-regional-cyber-tabletop-exercises","asset_type_code":"calendar_event_single"}]
Watch this interactive National Association of Counties (NACo) on-demand webinar on the importance of regional tabletop exercises in enhancing cybersecurity defenses for county governments. Learn how these exercises can help bridge connections between different local government agencies and departments, improve cybersecurity measures, and foster effective collaboration. Discover practical steps to initiate and conduct regional tabletop exercises, ensuring a coordinated and resilient response to potential cyber threats.
Regional tabletop exercises help you and the agencies and organizations you work with to assess the effectiveness of current incident response processes, identifying areas where organizations can better manage attacks and increase cyber resilience on a regional scale. Learn more about cybersecurity and the ways to get started or fill out the form below.
