I recently sat in a cybersecurity webinar hosted by our org's trade group. It was billed as "recent trends related to cyber-attacks and how you can best prepare your business through education and protection," but the technical components were a virtual presentation on ransomware, and a glossing over business email compromise and security awareness training, ending with a pitch for cybersecurity insurance.
The focus seemed to be on scare tactics instead of designing a strategy. Creating a security posture, vulnerability assessments, and backup policy were only mentioned at the end because I asked the panelists for suggested strategies during the Q&A!
With cybersecurity month coming up, I'm thinking about building a presentation for the trade group. The focus and emphasis would be on items such as governance and policy (or informed decision-making), accountability, asset protection and resilience, and maybe do a shallow dive into risk management and BCP/DRP.
If you were going to address a business group which only dealt with cybersecurity on an ad hoc basis, what would you focus on? What would you emphasize?
Oh, and one of the panelists works for a cybersecurity underwriter.
First off, you can't go wrong talking about any of that you listed. You could easily make an hour long presentation on any of those topics.
If I had to group them together for compression I'd start with Risk because all of those listed are strategies to reduce risk to the organization. So essential you're starting with the scare tactic of Risk but follow up with strategies of prevention with governance/policy creation and accountability for management, BCP/DR plans and asset protection that IT can get involved with. Then you can talk about getting everyone involved with a solid security awareness training plan.
<<<<If you were going to address a business group which only dealt with cybersecurity on an ad hoc basis, what would you focus on? What would you emphasize?>>>>
When preparing to address a group I would start with some questions to frame the conversation. Most important 1). Who is the audience? Sounds like you know that so what are they going to walk away from this meeting with? 2). What is the outcome you want to achieve from this group? Do you wish to inform? Are you trying to sell products or services? Do you want to give some news you can use? 3). Localize it. Answer the question So what? Why should I care? If the answer to why should I care is because security is everyone's responsibility then you already lost them, it's just another mandatory training to check a box.
About the fear and scare tactics. It's so common to pull the old scare them into pulling out their wallets. The term FUD Fear Uncertainty and Doubt. It's still a thing. It's not productive but it sensationalizes otherwise pretty mundane topics.
You have great ideas that anyone could benefit from so I say go for it. It's not a bad idea to use a ripped from the days headline story to demonstrate high impact from Cyber to Kinetic like Stuxnet or whatever government is being held hostage because ransomware with no restorable backups. Great saying " No Backup, No Restore " .
1) Security Awareness Training - users need to understand the risk of phishing, malware, ransomware etc. 2) Asset management for both hardware and software... If you don't know what you have, how are you going to protect it? 3)Vulnerability assessments both internal and external. Frankly, this is a no brainer. I see way to many clients thinking patching solves all the problems. Try removing software that is end-of-life, no longer used. See #2
I'd start by relating cyber risk to business risk and talk about how to deal with business continuity.
Maybe have them, interactively, translate cyber risks in business risks and ask them how they deal with those kind of risks.
In my view cybersecurity (or if you wish, cyber resilience) has two main topics, Asset management (know what you have and what it's vulnerabilities and hence risks are) and Risk Management.
Talk about risk Appetite, Risk budget, risk management strategies (like acceptance, insurance and mitigation).
Also talk about the level of the organisation at which the responsibility should reside (C-level in my view) and who is authorized to accept risks.
What is the outcome you want to achieve from this group?
Our trade group focuses most of their resources on the business they conduct. The trade group has a VP for IT (who arranged the aforementioned webinar), so the cyber-insurance sales pitch makes it sound like they're either softballing for the underwriters, or they're looking for topics to share with members. If there's an outcome, it's to say things out loud to IT peers within these affiliated companies, and create a security roundtable that focuses on how companies like ours devise security strategies.