request a consultation

McCarthy Cyber Readiness FAQs

A cybersecurity tabletop exercise is a guided simulation for leadership, technical teams, and decision-makers to practice responding to an incident. These sessions create a safe, no-pressure environment to test decision-making, communication, and coordination across departments. By walking through realistic scenarios, teams can uncover gaps, strengthen their readiness, and build the confidence needed to respond effectively when a real incident occurs.

Before an incident occurs, organizations should develop a Cyber Incident Response Plan (CIRP). Make sure the CIRP covers more than just IT. The CIRP should be Top Down so that it addresses all the expectations and concerns of the management team. We’re also seeing Board of Directors involvement due to recent SEC guidance. If you are a public company, your corporate annual report is a good place to start. You should test the CIRP to make sure it meets the needs of the entire organization. This is usually accomplished by a tabletop exercise (TTX). These are an annual requirement if you are an audited entity. You should also maintain and update the CIRP regularly. This results in a “lessons learned” program. McCarthy Cyber Readiness helps you cover all these steps so you’re ready before the crisis hits.

Yes. Our Cyber Incident Response Plans (CIRP) and tabletop exercises (TTXs) are designed to align with leading compliance frameworks such as NIST, ISO, HIPAA, and CMMC. While compliance alone doesn’t guarantee readiness, our approach ensures you meet regulatory requirements while also strengthening real-world resilience. This means you not only check the boxes for audits, but also build a culture of preparedness that protects your organization from evolving threats.

We only do Cyber Incident Response Plans (CIRP) and the tabletop exercises (TTXs) necessary to test them. We’re not a software / hardware company that wants to offer a product on top of our services. We are not a forensics firm. Most of those firms deliver generic, IT centric CIRPs and TTXs. That’s where their expertise is.

We are different. While our CIRPs & TTXs address the IT concerns, we also focus on Top Down, Risk Based, and Business Due Diligence CIRPs & TTXs that prepare the entire organization for a cyber crisis. We leverage a decades old military methodology that custom builds your CIRP to address your specific needs. The last thing we’re going to do is recommend/lock you into a security appliance or service.

Just about every cyber security framework out there requires a TTX at least annually. NIST, FFIEC (which is going away), HIPAA, PCI, ISO27K are ones that immediately come to mind. There are a number of reasons you may want to conduct more frequent TTXs: your board wonders if your organization can respond to a cyber attack that has impacted a competitor or one is in the news and on their minds, changes/upgrades to either your technology infrastructure, regulatory requirements, or even contractual requirements from third parties you work with.

Over the last 10 years, we’ve conducted hundreds of management level tabletop exercises. One of the most obvious indicators that an organization is not ready for a crisis is when they ask that very question. The participants of your TTX should be listed in your CIRP because your CIRP has identified all of the potential risk scenarios that may impact your organization. The CIRP then needs to identify all the various requirements for those scenarios and who will be needed to satisfy each requirement.

This approach is called Requirements Driven Execution (RDE). It’s been used by the military for a very long time. We also leverage this when we write CIRPs. On the management side, the usual suspects should include: CEO, Legal, HR, Corporate Communications, Audit/Compliance, CFO, and Privacy (especially if a cyber incident involves a breach of PII). If you have cyber insurance (very important), the Risk Management person who manages the policy should be included. If you expect to involve law enforcement, identify someone for those circumstances. Finally, you need to identify someone who will represent and liaison with your business functions (Business Continuity). If you are publicly traded, someone from your Board may also want to be involved. (This is a new trend based on recent SEC guidance.) On the IT side, CIO, CISO, networking for containment, forensics, InfoSec for all the SIEM, threat & vulnerability issues, the infrastructure team, and Disaster Recovery (DR) if you want to ever recover. I’m probably missing one or two, but until you conduct a formal assessment in the form of a CIRP, we won’t know for sure. You should probably have all of this documented, too, if you worry about potential litigation.

IT and cybersecurity teams are vital, but incident readiness goes beyond technology. It requires alignment across leadership, legal, compliance, HR, operations, and communications to ensure the entire organization responds effectively.

CIRP Development

Cyber Incident Response Plan (CIRP) development

If you can “think” it, you can “write” it. The goal of writing a CIRP is to ensure that you, the person who will lead the organization through a crisis, have thoroughly anticipated and researched your role prior to the actual crisis. No plan is 100% effective (or as the Marines say, “No plan survives first contact with the enemy”), but we should be able to address 80–90% of the “easy” stuff.

A CIRP addresses the following requirements:

  • Responding to an actual incident.
  • Mobilizing the IR team to respond and terminate the event.
  • Managing the IR program.

Project timeline

  1. Initiation of the project

Expectation management:

  • Discuss project costs, receiving your Purchase Order, invoicing logistics, and payment cadence.

Your expectations of me and the CIRP:

  • Deadlines.
  • Audit requirements.
  • Visibility.

My expectations of you (2–4 hours per week):

  • Review the Sample Project Plan and sample CIRP Table of Contents (provided in advance).
  • Agreement initiates the first invoice for 30% of the project fee.
  1. Week 1

Defining the Risk Narrative:

  • Produce version 1 Risk Narrative for your Board of Directors.
  • Reference materials provided to support development.
  1. Week 2

Identify scenarios where these cyber risks may manifest (use cases).

  1. Week 3

Requirements-Driven Execution (RDE)

RDE = Requirements + Resources + Research/References.

  • Each use case includes a “Roles & Responsibilities” table.

This becomes the foundation of the Working Draft (WDv1) of the CIRP.

  1. Week 4
  • Preparation of WDv1 of the CIRP (may take 2–3 weeks depending on availability).
  • Delivery of WDv1 after first invoice payment.
  • Second invoice for 30% issued upon delivery.
  1. Week 5+

Refinement of WDv1

This phase may require multiple iterations (some clients have gone up to WDv13). Every increment takes about a week. Timelines vary depending on complexity.

  1. Week TBD

Understanding the role of your cyber insurance

Cyber insurance is a key part of your IR strategy. Ensure coverage, vendors, and terms are understood and sufficient. The person managing insurance should be part of your CIRT.

  1. Final week

Termination of the project:

  • CIRP undergoes third-party QA.
  • Comments, headers, highlights removed from final document.
  • Final product delivered as a Word doc, ready for organizational branding/formatting.
  • Clients invited to connect on LinkedIn and continue the professional relationship.

Final deliverables

  • Final draft of the CIRP.
  • CIRP Management Overview section for senior management presentations.
  • Cyber Risk x CIRP Matrix showing alignment with risks.
  • Cyber Insurance Questionnaire with responses.
  • Appendices for use during incidents.
  • Signed copy of my McGraw-Hill CIRP book.

Delivery of the Final Draft (after second invoice payment) initiates the final 40% invoice.

Cost

Total cost: $25,000

  • Available to clients globally.
  • Payment terms: Net 30, split into 30%, 30%, 40% (non-refundable).
  • Pre-payment: 20% discount (refunds based on milestone completion).
  • Late payments may delay progress.
  • Non-participation (30+ days) cancels project and forfeits payments.
  • Timeline assumes my full availability (may extend if either party unavailable).
  • No technical process guides provided — I am no longer technical.
  • More detailed project plan and sample Table of Contents available on request.

It is a rare privilege to have the opportunity to rehearse for a crisis. While TTXs are an annual requirement for every InfoSec framework, the opportunity to have the undivided attention of your Executive Management team, to update them with current threats, to see if any of their concerns have changed (assuming you already know their concerns), and to refresh the muscle memory of the team responding to crisis is invaluable.

I have been successful at the management-level TTXs because I invest a significant amount of time learning about my clients and helping them prepare for the TTX. My ultimate objective is to prepare your team to be successful during an actual crisis (i.e., give an “open book test”).

I offer three types of two-hour TTXs:

  1. Board of Directors

This can be either a formal TTX, or more of a coaching/teaching event.

Objectives typically include:

  • Understanding BOD due diligence as per NACD, OAS, and the recent UK Cyber Governance Code of Practice documentation.
  • Review of your organization’s publicly disclosed Cyber Risk Narrative & Cyber Security commitments, comparing it to near peers.
  • Leveraging industry frameworks to assess “Are you doing enough?”
  • Reviewing your Policy documentation/execution.
  • Reviewing BOD expectations of the Executive Management Team during an incident.
  1. Executive Management Team

Objectives typically include:

  • Validation/Development of the Cyber Risk Narrative.
  • Requirements-Driven Execution.

Business-focused:

  • Statutory, Contractual, and Internal Reporting.
  • Brand/Reputation protection.
  • Potential litigation considerations.
  • Integrating your cyber insurance.
  • Proactive measures to minimize potential impacts prior to and/or during a cyber event.
  1. Technical Management Team

Objectives typically include:

  • Whether your efforts and focus are aligned with the Cyber Risk Narrative.
  • Requirements-Driven Execution.
  • Division of Labor considerations.
  • Management reporting.
  • Knowing what “normal” looks like (i.e., context).
  • Proactive actions, including Containment Planning.

The normal scope of this engagement is for two 2-hour TTXs at your location. I recommend one TTX before lunch, and one after. You can choose from the three choices above. I recommend a Top Down order for the TTXs: the BOD prior to the EMT, prior to the Technical. This way, we can ensure management considerations are fully understood/evaluated at each subordinate level.

If you have recently developed a CIRP with me, I recommend a TTX as a mechanism to review the CIRP, with the people identified in the CIRP as members of the Cyber Incident Response Team (CIRT).

I am also open to a two-day on-site session in which we address all three TTX options.

The following is a high-level project timeline for developing/executing your TTX. This timeline is by no means reflective of every TTX engagement. (I had one client wait for seven months to schedule the TTX because their CEO wanted all the actuals at the table.)

  1. Initiation of the project – the “closing” meeting

Expectation management:

  • Project costs, receiving your Purchase Order, invoicing logistics, and payment cadence.

Your expectations of me, and the TTXs:

  • Deadlines.
  • Audit requirements.
  • Visibility.

My expectations of YOU (typically 2–4 hours per week):

  • Establish a primary and alternate delivery date/range for the TTX.
  • Set up a call with your cyber insurance team – see Week #3 below.
  • If we mutually agree that this is the path forward, this will initiate the first invoice for 30% of the project fee.
  1. Week #1

Review your CIRP and any other relevant IR/Cyber Risk documentation:

  • How sufficient is the IR documentation?
  • Identify and review the various “other” documents that may impact the Incident Response effort.
  1. Week #2

Defining/Validating the Cyber Risk Narrative for the Organization:

  • Identify explicit and implicit cyber risks.
  1. Week #3

Understanding the Role of your Cyber Insurance

Cyber insurance is an integral component of your IR strategy… (kept full description)

  • Set up a call for conducting a one-hour Cyber Insurance policy CIRP integration.
  1. Week #4

Development of the TTX

  • Identification of the TTX objectives.
  • Identification of scope of participants.
  • Development of Speaker’s Notes.
  • Development of the scenario.
  • This is a payment and invoicing milestone. Delivery of the TTX slides will occur once the first invoice has been paid. Delivery of the TTX slides will initiate a second invoice for the second 30% payment.
  1. Week #5+
Execution of the TTX
  • I fly in the day before and fly out the following day.
  • One two-hour TTX will be in the AM, another after lunch. I will be on-site all day.
  • I recommend a Top Down order for the TTXs: the BOD prior to the EMT, prior to the Technical.
  • I am at your disposal for the day, including informal conversations or Q&A.
  • All findings/recommendations are discussed at the end of each TTX. If your GC doesn’t want formal findings, I can also provide a letter of completion.

Upon completion of the TTX, I will provide you with:

  • A draft of the TTX report for each of the sessions.
  • The report should leverage your Lessons Learned program (or kick-start one).
  • The Technical TTX typically involves an initial Containment Plan.
  • This is a payment and invoicing milestone. Delivery of the draft TTX Report initiates the final 40% invoice.
  1. Final Week
Termination of the Project
  • The TTX reports will undergo third-party QA review.
  • Finalized reports in PDF format for auditors.
  • Reports certify two hours of CPE credit.
  • I invite every client to connect with me on LinkedIn. I love this job.

Final Deliverables:

  • Two/Three TTX reports with CPE credit.
  • An initial Containment Plan with the Technical TTX.
  • A signed copy of my McGraw-Hill CIRP book.

Total cost of the one-day TTX engagement: $17,000 (includes all travel expenses for 2 TTXs).

Total cost of the two-day engagement: $24,000 (includes all travel expenses for 3 TTXs).

Discounted price of both a CIRP development and a one-day TTX: $35,000

  • This includes all travel expenses for one or two days.
  • Intended for U.S. and European clients.
  • Payment terms: Net 30 for each of the three invoices (30%, 30%, 40%).
  • Pre-payment of total cost includes 20% discount.
  • Late payments may delay the project.
  • Protracted absence (30+ days) cancels the project and forfeits payments.
  • This timeline assumes full availability; delays may occur otherwise.
  • I can adjust as needed to support your needs.

You can find full details on our workshops—including schedules, pricing, timelines, and what to expect—on our Workshops page.

request a consultation