The actual exercise should involve people from all the necessary departments and at least one person from the organization’s leadership team. Leadership support and participation are important because they show that the tabletop exercise is serious and has the attention of the entire organization.
Each of these departments may have a critical role to play in responding to a ransomware incident. From actually dealing with the cleanup, to communication with employees, partners, press, attackers, and customers, everyone needs to know what to expect.
Having the legal team present (or outside legal counsel if there’s no in-house legal team) during the tabletop exercise is helpful, because there’s a good chance that your legal team will be
leading your IR. At the very least, your IR team will be running everything through your legal team. If your organization is hit by a ransomware attack, there's a very good chance it will become public, and if it becomes public,
lawsuits will follow. Assume that IR, reporting, and communications will all flow through the legal team in a ransomware attack and conduct tabletop exercises accordingly.