cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Contributor II

Addressing cybersecurity to an unaccustomed industry

I recently sat in a cybersecurity webinar hosted by our org's trade group.  It was billed as "recent trends related to cyber-attacks and how you can best prepare your business through education and protection," but the technical components were a virtual presentation on ransomware, and a glossing over business email compromise and security awareness training, ending with a pitch for cybersecurity insurance.

 

The focus seemed to be on scare tactics instead of designing a strategy.  Creating a security posture, vulnerability assessments, and backup policy were only mentioned at the end because I asked the panelists for suggested strategies during the Q&A!

 

With cybersecurity month coming up, I'm thinking about building a presentation for the trade group.  The focus and emphasis would be on items such as governance and policy (or informed decision-making), accountability, asset protection and resilience, and maybe do a shallow dive into risk management and BCP/DRP.

 

If you were going to address a business group which only dealt with cybersecurity on an ad hoc basis, what would you focus on?  What would you emphasize?  

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
13 Replies
Highlighted
Contributor II

Re: Addressing cybersecurity to an unaccustomed industry

Oh, and one of the panelists works for a cybersecurity underwriter.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Highlighted
Community Champion

Re: Addressing cybersecurity to an unaccustomed industry

> ericgeater (Contributor II) posted a new topic in Governance, Risk, Compliance

>   The focus seemed to be on scare tactics instead
> of designing a strategy.

There's a lot of that going around, these days.

>   If you were
> going to address a business group which only dealt with cybersecurity on an ad
> hoc basis, what would you focus on?  What would you emphasize?  

Backups.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
'Tory' is the anglicized spelling of Irish 'tóraidhe', which used
to refer to an Irish bandit or rapparee
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Contributor I

Re: Addressing cybersecurity to an unaccustomed industry

First off, you can't go wrong talking about any of that you listed. You could easily make an hour long presentation on any of those topics.

 

If I had to group them together for compression I'd start with Risk because all of those listed are strategies to reduce risk to the organization. So essential you're starting with the scare tactic of Risk but follow up with strategies of prevention with governance/policy creation and accountability for management, BCP/DR plans and asset protection that IT can get involved with. Then you can talk about getting everyone involved with a solid security awareness training plan.   

Highlighted
Community Champion

Re: Addressing cybersecurity to an unaccustomed industry

> ericgeater (Contributor II) posted a new reply in Governance, Risk, Compliance

> Oh, and one of the panelists works for a cybersecurity underwriter.

I think I'll have a heart attack and die from *NOT* being surprised.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
If you have time to whine and complain about something then you
have the time to do something about it. - Anthony J. D'Angelo
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Newcomer I

Re: Addressing cybersecurity to an unaccustomed industry

<<<<If you were going to address a business group which only dealt with cybersecurity on an ad hoc basis, what would you focus on?  What would you emphasize?>>>>

 

When preparing to address a group I would start with some questions to frame the conversation.  Most important 1).  Who is the audience?  Sounds like you know that so what are they going to walk away from this meeting with?  2).  What is the outcome you want to achieve from this group?  Do you wish to inform?  Are you trying to sell products or services?  Do you want to give some news you can use?  3).  Localize it.  Answer the question So what?  Why should I care?  If the answer to why should I care is because security is everyone's responsibility then you already lost them, it's just another mandatory training to check a box.

 

About the fear and scare tactics.  It's so common to pull the old scare them into pulling out their wallets.  The term FUD Fear Uncertainty and Doubt.  It's still a thing.  It's not productive but it sensationalizes otherwise pretty mundane topics.  

 

You have great ideas that anyone could benefit from so I say go for it.  It's not a bad idea to use a ripped from the days headline story to demonstrate high impact from Cyber to Kinetic like Stuxnet or whatever government is being held hostage because ransomware with no restorable backups.  Great saying " No Backup, No Restore " .  

Highlighted
Newcomer II

Re: Addressing cybersecurity to an unaccustomed industry

1) Security Awareness Training - users need to understand the risk of phishing, malware, ransomware etc. 2)  Asset management for both hardware and software...  If you don't know what you have, how are you going to protect it? 3)Vulnerability assessments both internal and external.  Frankly, this is a no brainer.  I see way to many clients thinking patching solves all the problems.  Try removing software that is end-of-life, no longer used.  See #2  

Highlighted
Newcomer III

Re: Addressing cybersecurity to an unaccustomed industry

I'd start by relating cyber risk to business risk and talk about how to deal with business continuity.

Maybe have them, interactively, translate cyber risks in business risks and ask them how they deal with those kind of risks.

In my view cybersecurity (or if you wish, cyber resilience) has two main topics, Asset management (know what you have and what it's vulnerabilities and hence risks are) and Risk Management.

Talk about risk Appetite, Risk budget, risk management strategies (like acceptance, insurance and mitigation).

Also talk about the level of the organisation at which the responsibility should reside (C-level in my view) and who is authorized to accept risks.

Kind regards,

Johannes
Highlighted
Newcomer III

Re: Addressing cybersecurity to an unaccustomed industry

Oh, and don't forget about Security by Design and Security in Depth
Kind regards,

Johannes
Highlighted
Contributor II

Re: Addressing cybersecurity to an unaccustomed industry

What is the outcome you want to achieve from this group?

 

Our trade group focuses most of their resources on the business they conduct.  The trade group has a VP for IT (who arranged the aforementioned webinar), so the cyber-insurance sales pitch makes it sound like they're either softballing for the underwriters, or they're looking for topics to share with members.  If there's an outcome, it's to say things out loud to IT peers within these affiliated companies, and create a security roundtable that focuses on how companies like ours devise security strategies.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."