Your Incident Response Plan Is a PDF Nobody Has Read
Somewhere on your network is a document called Incident Response Plan, version 3.2, last modified fourteen months ago by someone who has since left the company. It is forty-one pages long. It contains a flowchart. It references three tools you no longer use and a phone tree with two disconnected numbers. It was written to satisfy a control, and it succeeded, because the auditor checked the box that said does a documented IR plan exist.
It has never once been opened during an actual incident. It never will be. At 2 AM, when the file servers are encrypting and someone is asking whether to pay, nobody is going to scroll to page 23 for the RACI matrix.
This is not an argument against having a plan. It is an argument that the plan is not the point. The point is the capability the plan is supposed to represent, and those two things drift apart the moment the document is filed.
Plans Are Artifacts, Capability Is a Muscle
A plan is a snapshot of how you thought an incident would go, written by people who were calm, caffeinated, and not currently being extorted. Real incidents do not read the plan. They show up at the worst possible time, in a shape you did not anticipate, while half the response team is on a plane or on vacation or newly resigned.
What actually determines how an incident goes is not the quality of the document. It is whether the people involved have done this before, even in practice. Whether they know who has authority to disconnect production. Whether they know that the cyber-insurance policy has a notification clause that starts ticking immediately. Whether they can find the logs, reach the bank, and make a decision under pressure without first convening a meeting about who gets to decide.
That is muscle, and muscle is built through repetition, not documentation. You do not rise to the occasion. You fall to the level of your preparation, and your preparation is the last time you actually practiced, not the last time you updated a file.
The Tabletop Is Where the Plan Meets Reality
A tabletop exercise is the cheapest, highest-yield thing most security programs are not doing often enough. You get the actual humans who would respond into a room, you describe a scenario, and you make them make the decisions in real time. No production systems are touched. The only thing at risk is the comfortable assumption that everyone knows what they are doing.
The value is not in confirming the plan works. The value is in the moments where it visibly does not. The exercise is where you discover that the person listed as the decision-maker for ransom payment retired, that nobody can actually reach Legal after hours, that the backups everyone assumed were immutable are on the same domain as everything else, and that two senior people have a genuine, unresolved disagreement about whether to prioritize evidence preservation or getting the business back online. Those discoveries are gold, and you want them in a conference room, not in a crisis.
Good tabletops are specific and uncomfortable. They inject new information partway through, the way real incidents do. They put people in seats they do not normally occupy. They do not let the room settle into the comfortable fiction that everything would obviously be handled. The best ones end with a few people slightly rattled and a list of things that were supposed to be true and were not.
Run Them Like You Mean It
A tabletop that everyone enjoys and nobody learns from is theater. Make it realistic. Pick scenarios that match your actual threat profile, not the exotic ones that are fun to talk about. Include the messy parts: the stakeholder who wants it kept quiet, the deadline, the incomplete information, the decision that has no clean answer. Time-box the decisions so people feel the pressure to commit before they are certain, because that is the actual job.
And do them more than once a year. Annual is compliance cadence, not capability cadence. The teams that handle incidents well treat practice as a routine, run shorter and more frequent exercises, rotate the scenarios, and bring in the awkward stakeholders who will really be in the room. They debrief honestly and fix what broke.
The document can stay. Keep it current enough to be useful and short enough to be read. But stop mistaking its existence for readiness. The plan is the sheet music. The capability is whether the band can actually play, and you only find that out when you make them.
The organizations that come through incidents intact are not the ones with the thickest binders. They are the ones who have already had the hard conversations, in a room, on a normal Tuesday, before it counted.