Why We Should Stop (Always) Treating Privacy Tabletop Exercises Like Fire Drills

I’ve facilitated tabletop exercises for over a decade. I know the rhythm.

A facilitator sets the scene. Something has already gone very wrong. An ominous email from a threat actor. Or maybe perimeter alerts. The stakes are often existential (e.g., ransomware shutting down critical systems, bet the business breaches, business continuity concerns). Leadership is assembled, and everyone is alert, serious, and performing competence at a very high level.

And whether anyone says it explicitly or not, the goal is containment. Security/IT wants to contain the breach. Legal wants to contain the fallout. Everyone wants to contain the worry that this exercise might reveal something uncomfortable—we might just not be ready for the big one!

I understand why organizations design tabletop exercises this way. Comprehensive tabletop exercises can take a lot of planning and coordinating, so they are often held rarely (like maybe once every year or three). They’re visible with leadership and across the team. They are also often led by external security vendors or built for executive audiences. When you only run one every year or two, it feels like it should be big, dramatic, and worthy of everyone’s time. It also feels overwhelming, like you’re drowning in a giant pile of after-action items.

The longer I do this work, the more convinced I am that containment is the wrong goal for a privacy tabletop. More importantly, I’m convinced that there isn’t just one right goal for a privacy tabletop.

I’m not ragging on containment because I think it doesn’t matter. It absolutely does! And security tabletop exercises are an important aspect of testing containment. I say this because privacy incidents almost never hinge on a single heroic moment. Organizations get through most privacy incidents by engaging in a series of small decisions made under mild stress, partial information, and competing priorities. But those are exactly the moments most tabletop exercises never touch.

When containment is the only goal, the exercise drifts into performance. People reach for the answer that should work based on a technical hypothetical, not the processes and decisions that actually need to get made during most events to result in incident closure. Process gaps quietly disappear because “we’d handle that offline.” Everyone leaves reassured, and nothing really changes.

You can survive the scenario and still learn nothing!

OK, forgive the hyperbole here. I might by playing a bit of devil’s advocate. Comprehensive tabletop exercises handling business continuity to teach your team. The lessons often look like: “We need to enhance analog processes for when everything goes south.” or “We need to assemble faster, have cleaner handoffs, and get all of our comms templates ready for when the big one hits.”

Those types of lessons have value for a business. They absolutely do. That said, they aren’t the only way (and I posit not even the best way) to get value from tabletop exercise training.

I don’t just care about what people do when the sh*t is completely hitting the fan. I also care about those moments when teams hesitate. I care about where ownership gets fuzzy in the details or when there’s uncertainty. I care about the crossed wires where two teams discover they’ve been talking about the same data in very different ways. These are not containment issues. They are the real terrain of privacy work; the roads we walk often and maybe stop seeing the sights on our travels.

Well, that’s easy. Smaller, more frequent tabletop exercises can absolutely, albeit quietly outperform the big ones. To come to this conclusion, I started thinking about tabletop exercises the way I think about training in every other domain, privacy or otherwise. We don’t practice only on your worst day or when everything is on fire. You practice the pieces, the bits, the small acts of decision making, repeatedly, until the response becomes familiar.

That’s the thinking behind what I call mini tabletops, and it’s the backbone of my privacy tabletop design framework.

Mini tabletops don’t try to simulate catastrophe. They isolate a single decision or failure mode and sit with it long enough to notice what breaks. They’re short. They’re imperfect. They’re slightly uncomfortable in a way that invites honesty instead of posturing and reveals how tweaked processes and better-defined roles can result in resilience.

And most importantly, they’re repeatable. Like quarterly. Like every time a new product ships. Like when a new critical vendor is being onboarded. They become a regular tool in your training toolbox.

Most organizations I work with still default to one of two extremes. Either a security tabletop run by an IT vendor that focuses on technical containment and treats privacy as a downstream effect. Or a large executive-level exercise designed to test only the gnarliest imaginable incident (e.g., the kind that would make the front page if it ever happened).

Both have value, as I’ve mentioned above. But I strongly believe mini tabletops focusing on reduce-scale scenarios help build everyday privacy readiness.

You probably see privacy incidents in your day-to-day way more often than you think. They don’t usually announce themselves as “the big one.” They creep in through ambiguity in the facts, assumptions about roles and processes, and sometimes through the quiet confidence that someone else has it covered.

Mini tabletops live in this everyday space.

So, what’s the solution if I think you should be running tabletops more often? It’s not necessarily to hire me to facilitate them. It pains me to say this, because I really, really love running tabletop exercises for my clients, and I will give as much enthusiasm to a remote-driven mini tabletop conducted over Teams with a collaborative Miro board as I will a two-day in-person extravaganza. But I digress.

One of the most useful shifts I’ve made is letting go of the idea that tabletop exercises only count if legal or privacy is in the room. Yes, they are key, and they should usually be included to the extent that scenarios touch on decisions required by those teams. However, the security-first or legal-first model isn’t the only way to succeed with a tabletop, and it also subtly reinforces the idea that privacy is someone else’s responsibility.

A good mini tabletop doesn’t require facilitation expertise. It requires careful structure and defined objectives and boundaries.

The scenario should be narrow enough that people recognize it immediately. Not “a massive data breach,” but “a product manager realizes a feature is collecting more data than expected.” Not “a regulator investigation,” but “customer support receives an inquiry they’re not sure how to classify.”

The goal isn’t to reach the perfect answer. It’s to surface how decisions actually get made and how these problems are practically dealt with. And, ultimately, can we make these processes better, easier, clearer, and less of a headache for the teams that handle them?

The goal is to balance the stated processes against reality and learn where those friction points exist. Teams should walk through:

The most important part of the exercise isn’t the scenario; it is the actions people take during it and the reflection after. What felt obvious? What felt uncomfortable? What did they realize they didn’t know?

That’s the moment where learning happens.

And because these exercises are small, they’re less pressure on the participants. No one is being graded. No one is being tested. The organization is practicing for catastrophe. It’s saying let’s do a “mock run” of these things that already happen and see how we can make them better.

Once you have a handful of these exercises, something interesting happens. Patterns emerge.

Whether it’s the same questions coming up repeatedly, the same handoffs cause friction, or the same decisions feel oddly heavy every time you make them, those patterns become the improvement roadmap.

Mini tabletops can be reused, adapted, and layered. A scenario that works for one team can be tweaked for another. An introductory version can evolve into a more complex one. Over time, they become a shared language for talking about risk without panic.

This is where privacy teams stop being facilitators and start being designers. Instead of running every exercise, you build the system, including the prompts, the structure, the reflection questions, the way insights get captured and fed back into policies, training, and product decisions. That system becomes a tool that can be deployed around the organization without relying on a single facilitator running every session.

That’s what Privacy Tabletop Design is really about. Not developing privacy scenarios for fun, but acknowledging that readiness is built through play, iteration, and repetition rather than fear.

If your tabletop exercises only test your worst day, they’re skipping the days that actually determine the overall success of your privacy program.

Containment matters. But readiness and resilience is built around multiple processes over multiple teams.

And that’s where I’d rather spend my time.

Finally, reminder that the opinions expressed in this article are the opinion of The Privacy Design Lab. They are not legal advice, and no attorney-client relationship is formed by reading this article or downloading the 30-Minute Privacy Tabletop Exercise. If you need to consult legal counsel, you can book a consult with ARLA Strategies or other legal counsel you trust!

If you’re tired of privacy advice that only works in theory, you’re in the right place.

The Privacy Design Lab exists for people who want to practice privacy, not just talk about it. It focuses on practical, repeatable ways teams actually learn. We offer hands-on workshops, downloadable systems, and a Privacy Studio community where teams and practitioners can go deeper. Paid subscribers get access all the tools.

If that sounds like your kind of work, we’d love to have you.