topic Re: Addressing cybersecurity to an unaccustomed industry in Governance, Risk, Compliance

Addressing cybersecurity to an unaccustomed industry

ericgeater — Thu, 27 Aug 2020 17:35:25 GMT

I recently sat in a cybersecurity webinar hosted by our org's trade group. It was billed as "recent trends related to cyber-attacks and how you can best prepare your business through education and protection," but the technical components were a virtual presentation on ransomware, and a glossing over business email compromise and security awareness training, ending with a pitch for cybersecurity insurance.

The focus seemed to be on scare tactics instead of designing a strategy. Creating a security posture, vulnerability assessments, and backup policy were only mentioned at the end because I asked the panelists for suggested strategies during the Q&A!

With cybersecurity month coming up, I'm thinking about building a presentation for the trade group. The focus and emphasis would be on items such as governance and policy (or informed decision-making), accountability, asset protection and resilience, and maybe do a shallow dive into risk management and BCP/DRP.

If you were going to address a business group which only dealt with cybersecurity on an ad hoc basis, what would you focus on? What would you emphasize?

Re: Addressing cybersecurity to an unaccustomed industry

ericgeater — Thu, 27 Aug 2020 17:36:50 GMT

Oh, and one of the panelists works for a cybersecurity underwriter.

Re: Addressing cybersecurity to an unaccustomed industry

rslade — Thu, 27 Aug 2020 18:11:12 GMT

> ericgeater (Contributor II) posted a new topic in Governance, Risk, Compliance

> The focus seemed to be on scare tactics instead
> of designing a strategy.

There's a lot of that going around, these days.

> If you were
> going to address a business group which only dealt with cybersecurity on an ad
> hoc basis, what would you focus on? What would you emphasize?

Backups.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
'Tory' is the anglicized spelling of Irish 'tóraidhe', which used
to refer to an Irish bandit or rapparee
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Addressing cybersecurity to an unaccustomed industry

tmekelburg1 — Thu, 27 Aug 2020 18:25:16 GMT

First off, you can't go wrong talking about any of that you listed. You could easily make an hour long presentation on any of those topics.

If I had to group them together for compression I'd start with Risk because all of those listed are strategies to reduce risk to the organization. So essential you're starting with the scare tactic of Risk but follow up with strategies of prevention with governance/policy creation and accountability for management, BCP/DR plans and asset protection that IT can get involved with. Then you can talk about getting everyone involved with a solid security awareness training plan.

Re: Addressing cybersecurity to an unaccustomed industry

rslade — Thu, 27 Aug 2020 18:26:12 GMT

> ericgeater (Contributor II) posted a new reply in Governance, Risk, Compliance

> Oh, and one of the panelists works for a cybersecurity underwriter.

I think I'll have a heart attack and die from *NOT* being surprised.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
If you have time to whine and complain about something then you
have the time to do something about it. - Anthony J. D'Angelo
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Addressing cybersecurity to an unaccustomed industry

MikeinGlennDale — Thu, 27 Aug 2020 20:24:43 GMT

<<<<If you were going to address a business group which only dealt with cybersecurity on an ad hoc basis, what would you focus on? What would you emphasize?>>>>

When preparing to address a group I would start with some questions to frame the conversation. Most important 1). Who is the audience? Sounds like you know that so what are they going to walk away from this meeting with? 2). What is the outcome you want to achieve from this group? Do you wish to inform? Are you trying to sell products or services? Do you want to give some news you can use? 3). Localize it. Answer the question So what? Why should I care? If the answer to why should I care is because security is everyone's responsibility then you already lost them, it's just another mandatory training to check a box.

About the fear and scare tactics. It's so common to pull the old scare them into pulling out their wallets. The term FUD Fear Uncertainty and Doubt. It's still a thing. It's not productive but it sensationalizes otherwise pretty mundane topics.

You have great ideas that anyone could benefit from so I say go for it. It's not a bad idea to use a ripped from the days headline story to demonstrate high impact from Cyber to Kinetic like Stuxnet or whatever government is being held hostage because ransomware with no restorable backups. Great saying " No Backup, No Restore " .

Re: Addressing cybersecurity to an unaccustomed industry

PuettK — Thu, 27 Aug 2020 21:51:13 GMT

1) Security Awareness Training - users need to understand the risk of phishing, malware, ransomware etc. 2) Asset management for both hardware and software... If you don't know what you have, how are you going to protect it? 3)Vulnerability assessments both internal and external. Frankly, this is a no brainer. I see way to many clients thinking patching solves all the problems. Try removing software that is end-of-life, no longer used. See #2

Re: Addressing cybersecurity to an unaccustomed industry

Johannes — Fri, 28 Aug 2020 11:46:19 GMT

I'd start by relating cyber risk to business risk and talk about how to deal with business continuity.

Maybe have them, interactively, translate cyber risks in business risks and ask them how they deal with those kind of risks.

In my view cybersecurity (or if you wish, cyber resilience) has two main topics, Asset management (know what you have and what it's vulnerabilities and hence risks are) and Risk Management.

Talk about risk Appetite, Risk budget, risk management strategies (like acceptance, insurance and mitigation).

Also talk about the level of the organisation at which the responsibility should reside (C-level in my view) and who is authorized to accept risks.

Re: Addressing cybersecurity to an unaccustomed industry

Johannes — Fri, 28 Aug 2020 11:47:56 GMT

Oh, and don't forget about Security by Design and Security in Depth

Re: Addressing cybersecurity to an unaccustomed industry

ericgeater — Fri, 28 Aug 2020 12:22:18 GMT

What is the outcome you want to achieve from this group?

Our trade group focuses most of their resources on the business they conduct. The trade group has a VP for IT (who arranged the aforementioned webinar), so the cyber-insurance sales pitch makes it sound like they're either softballing for the underwriters, or they're looking for topics to share with members. If there's an outcome, it's to say things out loud to IT peers within these affiliated companies, and create a security roundtable that focuses on how companies like ours devise security strategies.

Re: Addressing cybersecurity to an unaccustomed industry

Johannes — Fri, 28 Aug 2020 12:58:09 GMT

Is the group only interested in trade or does it also have members from industry?

In the latter case I think it's important that Cybersecurity for IT and Cybersecurity for ICS are tow entirely different things although they look superficially similar. Where in IT we talk about Confidentiality, Integrity and Availability, in ICS we turn that around and talk about Safety, safety, safety, Availability, Integrity and Confidentialy. The risks for both kinds of security are completely different. In the IT world we talk about identity theft, theft of Intellectual Property and the like but in ICS loss of human life or severe injuries are real risks that have to be mitigated.

Re: Addressing cybersecurity to an unaccustomed industry

ericgeater — Sat, 29 Aug 2020 14:59:08 GMT

To address your question, the trade group mostly focuses on sales and relationship building. Only recently was I made aware that there was a "VP of IT" in the trade group! His background includes PMP and ITIL, and he states an expertise in infrastructure design, business process improvement, and cloud computing.

And here I am, like the Spider Man meme, thinking "if members need those things, then it's a de facto conclusion they need cybersecurity, too."

Re: Addressing cybersecurity to an unaccustomed industry

Caute_cautim — Sun, 06 Sep 2020 06:45:07 GMT

@ericgeaterI guess, that one could do some research around that particular industry, in terms of what is likely to get their attention in terms of the types of risks, threats which would have an impact on them.

Are there any regulations, which apply to that particular group, which they have to adhere too and are there any implications or knock on affects, if they are not prepared. As we all know it is a matter of being prepared rather than "if it happens" these days. Example How would be they deal with a Ransomware extortion? What is their particular policy or would they merely hand it over to the Cyber Security Insurance company to deal with?

I would take useful report such as "https://www.ibm.com/security/data-breach

How do they rate in being prepared?

Or check out the International Telecommunications Union (ITU) Cyber Security Index and do some background research?

Work what is critical to that particular industry and what attack vectors have they encountered in the past?

Have they carried out a recent digital transformation - just ask them where they think their data actually exists and whether they think it has the necessary level of protection and that only authorised users, devices, applications and networks can access it legitimately.

There are plenty of approaches, but simply raising questions and showing examples, may resonate and get them asking questions rather than taking the FUD approach - which in general never works.

Regards

Caute_cautim

Re: Addressing cybersecurity to an unaccustomed industry

ericgeater — Tue, 29 Sep 2020 21:04:25 GMT

Thanks to everyone for your suggestions! I've been working on a presentation that included many of them, and hopefully I'll have a chance offer it to the trade group.