Always look for the asymmetric wins as a defender. Because there aren’t many.

Tabletop exercises provide a surprising amount of ROI if you do them right.

Managing your known unknown risk is a core part of security risk management. So how do you know what you don’t know?

You can never answer that question completely, but you can manage the risk by running regular tabletop exercises against your threat model.

When you are so close to the problem as a defender, it can be tempting to think you deeply understand the problem space. But you will always have blind spots. This is normal. So how do you correct for that?

Tabletop exercises with a small group of stakeholders is one way. Take a particular risk, put together a tabletop scenario, and run through it. You can do this is less than 15 minutes to sketch out the scenario and less than half an hour to run through the tabletop exercise.

You might be surprised at how much value you get out of such work. There’s a reason that industry frameworks require at an annual tabletop exercise. That’s a bare minimum—depending on your threat model, I’d recommend doing so quarterly or even monthly.