Getting Executive Buy-In for a Cyber Tabletop Exercise (TTX)

You already know your organization needs to test its incident response plan. The challenge isn't making the case for why. It's getting the people who matter most to actually show up and participate.

Getting executive approval for a tabletop exercise is different from most security budget requests. You're not just asking leadership to sign off on a line item. You're asking them to block time on their calendars, sit in a room, and work through a simulated crisis. That's a harder sell, but it's also what makes the exercise valuable.

Here's how to frame the conversation.

Understand Why They're Hesitant

Before you pitch, put yourself in their shoes. Most executive resistance comes down to three things:

It sounds like a time commitment with unclear ROI.

Leadership teams are stretched thin. Asking for 90 minutes feels like a big ask when they don't fully understand what they're getting out of it.

It feels like a test they might fail.

Nobody wants to sit in a room and be exposed for not knowing the right answer. If executives think the exercise is designed to highlight what they don't know, they'll find a reason not to attend.

They assume the security budget already covers this.

The natural reaction is, "We pay for firewalls, EDR, and a security team, so why are we rehearsing for the thing we're paying to prevent?" The short answer is that technical controls reduce risk but don't eliminate it, and when something gets through, the decisions that matter most fall on the executive team, not the SOC.

Once you understand these objections, you can address them directly.

Speak Their Language

The fastest way to lose executive attention is to lead with technical jargon. A tabletop exercise is one of the easiest security concepts to explain in plain terms: it's a fire drill for your response to a cyber-attack.

Frame the conversation around the things leadership already cares about. Revenue impact, regulatory exposure, customer trust, brand reputation, operational continuity. Connect the exercise to their priorities, not yours.

Instead of: "We need to validate our IR playbook and test our escalation procedures."

Try: "If we got hit with ransomware tomorrow and lost access to our core systems, do we know who makes the call on whether to pay? Who talks to the press? Who notifies our customers? This exercise lets us answer those questions when the stakes are low."

Every executive team has business priorities for the year. Think about how a cyber incident could derail those plans and frame the exercise in those terms.

Reframe It as a Workshop, Not a Test

This is the single most important shift you can make. The language you use matters.

Words that create resistance: test, audit, assessment, evaluation, gaps, deficiencies.

Words that create buy-in: workshop, practice, preparation, collaboration, improvement, resilience.

Position the exercise as a safe environment to build confidence, practice decision-making, and improve teamwork across departments. Emphasize that the goal isn't to catch anyone off guard. It's to give leadership an opportunity to practice their roles before the cameras are rolling for real.

In our experience facilitating tabletop exercises across industries, executives almost always walk away saying they found it useful and wish they'd done it sooner. Once they're in the room, the value sells itself. Your job is just getting them there.

Quantify the Risk

Data helps, especially with financially-minded executives. A few numbers worth having in your back pocket:

• The average cost of a data breach for U.S. companies reached a record $10.22 million in 2025, according to IBM's annual Cost of a Data Breach Report.
• Organizations with incident response teams that extensively test their response plans save an average of $1.49 million per breach.
• Companies with tested IR plans contain breaches significantly faster than those without.

A tabletop exercise is one of the highest-ROI investments in a security program. The cost is modest, the time commitment is 90 minutes, and the potential savings in the event of a real incident are measured in millions.

Build a Coalition Before the Meeting

You probably already know who on the leadership team is most and least likely to support this. Work that to your advantage.

Identify your allies early. Pre-sell the exercise to sympathetic leaders in Legal, Communications, HR, or Finance. When the request comes with cross-functional support rather than just from the security team, it carries more weight.

If you can get even one senior leader to champion the exercise, the rest of the approval process gets significantly easier. Legal is often a natural ally. They understand regulatory obligations and the liability implications of being unprepared.

Highlight What They Gain Personally

Executives respond to incentives that are relevant to their role. Help them see what's in it for them specifically:

The CEO gets to practice leading through a crisis before they're standing in front of the press or on a call with the board.

General Counsel gets to pressure-test notification timelines, regulatory obligations, and privilege considerations in a low-stakes environment.

The CFO gets visibility into the financial decisions they'd face during an incident: ransom payments, business interruption costs, breach response expenses.

HR leadership gets to think through internal communications, employee impacts, and workforce continuity before they're doing it under duress.

When each leader can see how the exercise is directly relevant to their responsibilities, attendance stops feeling like a favor to the security team and starts feeling like preparation for their own role.

Make the Case for an Outside Facilitator

There's a meaningful difference between running a tabletop internally and bringing in a third party, and it's worth making that case to leadership.

An outside facilitator, especially one from a firm that handles real incidents, brings several advantages. The scenarios are grounded in what's actually happening in the threat landscape, not hypotheticals pulled from a template library. An external team can push participants harder, ask uncomfortable questions, and surface blind spots that internal teams are too close to see. And there's a level of credibility and seriousness that comes with bringing in specialists that's difficult to replicate with an internal exercise.

At IDX, our tabletop exercises are facilitated by the same DFIR professionals who respond to real incidents every day. That means the scenarios we build reflect the tactics, techniques, and decision points we're seeing in active investigations, not textbook examples from five years ago.

Give Them a Communications Win

Here's something many security leaders overlook: a well-run tabletop exercise gives executives a powerful communications asset.

If a real incident occurs, being able to say "We've rehearsed this scenario and have a tested response plan in place" is a strong message for regulators, the board, customers, and the press. It demonstrates that the organization took proactive steps to prepare, which can influence regulatory outcomes, insurance claims, and public perception.

Frame the exercise not just as risk reduction, but as reputation insurance.

Keep It Simple

When you make the ask, keep the pitch tight:

• What it is: A 90 minute collaborative workshop where leadership works through a realistic cyber incident scenario.
• What it isn't: A test, an audit, or a gotcha exercise.
• What they get: A facilitated session led by experienced IR professionals, followed by a findings report with prioritized recommendations.
• What it costs them: 90 minutes. That's it.
• What it could save: Millions in breach costs, weeks in response time, and significant reputational damage.

The Bottom Line

Resilience isn't built in a single exercise. It's an ongoing process. But every program has to start somewhere, and a tabletop exercise is one of the most practical and accessible first steps an organization can take.

Your executives will thank you for it, but only if you can get them in the room first. Speak their language, reframe the narrative, build your coalition, and make the ask. The hard part isn't running the exercise. It's getting the green light.

*IDX provides executive and technical tabletop exercises facilitated by senior DFIR professionals who handle real incidents daily. To learn more about our Incident Readiness services or schedule a tabletop exercise for your organization, contact us at readiness@idx.us or call 855-435-7439.