cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

Addressing cybersecurity to an unaccustomed industry

I recently sat in a cybersecurity webinar hosted by our org's trade group.  It was billed as "recent trends related to cyber-attacks and how you can best prepare your business through education and protection," but the technical components were a virtual presentation on ransomware, and a glossing over business email compromise and security awareness training, ending with a pitch for cybersecurity insurance.

 

The focus seemed to be on scare tactics instead of designing a strategy.  Creating a security posture, vulnerability assessments, and backup policy were only mentioned at the end because I asked the panelists for suggested strategies during the Q&A!

 

With cybersecurity month coming up, I'm thinking about building a presentation for the trade group.  The focus and emphasis would be on items such as governance and policy (or informed decision-making), accountability, asset protection and resilience, and maybe do a shallow dive into risk management and BCP/DRP.

 

If you were going to address a business group which only dealt with cybersecurity on an ad hoc basis, what would you focus on?  What would you emphasize?  

-----------
A claim is as good as its veracity.
13 Replies
Johannes
Newcomer III

Is the group only interested in trade or does it also have members from industry?

In the latter case I think it's important that Cybersecurity for IT and Cybersecurity for ICS are tow entirely different things although they look superficially similar. Where in IT we talk about Confidentiality, Integrity and Availability, in ICS we turn that around and talk about Safety, safety, safety, Availability, Integrity and Confidentialy. The risks for both kinds of security are completely different. In the IT world we talk about identity theft, theft of Intellectual Property and the like but in ICS loss of human life or severe injuries are real risks that have to be mitigated.

Kind regards,

Johannes
ericgeater
Community Champion

To address your question, the trade group mostly focuses on sales and relationship building.  Only recently was I made aware that there was a "VP of IT" in the trade group!  His background includes PMP and ITIL, and he states an expertise in infrastructure design, business process improvement, and cloud computing.

 

And here I am, like the Spider Man meme, thinking "if members need those things, then it's a de facto conclusion they need cybersecurity, too."

-----------
A claim is as good as its veracity.
Caute_cautim
Community Champion

@ericgeaterI guess, that one could do some research around that particular industry, in terms of what is likely to get their attention in terms of the types of risks, threats which would have an impact on them.

 

Are there any regulations, which apply to that particular group, which they have to adhere too and are there any implications or knock on affects, if they are not prepared.  As we all know it is a matter of being prepared rather than "if it happens" these days.  Example How would be they deal with a Ransomware extortion?  What is their particular policy or would they merely hand it over to the Cyber Security Insurance company to deal with?

 

I would take useful report such as "https://www.ibm.com/security/data-breach

 

How do they rate in being prepared? 

 

Or check out the International Telecommunications Union (ITU) Cyber Security Index and do some background research?

 

Work what is critical to that particular industry and what attack vectors have they encountered in the past?

 

Have they carried out a recent digital transformation - just ask them where they think their data actually exists and whether they think it has the necessary level of protection and that only authorised users, devices, applications and networks can access it legitimately.

 

There are plenty of approaches, but simply raising questions and showing examples, may resonate and get them asking questions rather than taking the FUD approach - which in general never works.

 

Regards

 

Caute_cautim

 

 

 

 

 

ericgeater
Community Champion

Thanks to everyone for your suggestions!  I've been working on a presentation that included many of them, and hopefully I'll have a chance offer it to the trade group.

-----------
A claim is as good as its veracity.