Communication: storytelling for security.
COMPASS Cyber Security's Bob Olsen made the closing presentation of the conference. He addressed himself to business leaders and their security teams, the people who actually have to build the cyber security program.
He proposed beginning with a thought experiment: ask what the impact would be of a variety of incidents on your business. Loss of access to data for several days? Loss of an e-commerce portal? Public disclosure that client data had been lost? Unauthorized access to the CEO's email account? Every business will think through these eventualities in different ways because every business has its distinctive risk profile and risk tolerance.
Getting people to care about cybersecurity.
As an organization thinks through these scenarios and builds its security program, it will be faced with the challenge of execution, and a big part of that challenge is "getting people to care." Olsen's advice was that the more personal the communication was, the more effective it would be. He particularly enjoined information security experts to speak their colleagues' language, not their own. "Tailor the threats to the person’s role; speak their language, don’t make them learn yours."
Storytelling about cybersecurity with the right analogies.
Since a cyber security program is a matter of getting the technology, people, and policy right, Olsen said, consider comparing these elements of security to the things you might do to secure a house.
For technology, your house might be secured different elements each corresponding to a cybersecurity analogue. The locks on its doors, for example, are like passwords and two-factor authentication. You may also have a monitored alarm system (a firewall, antivirus, and security monitoring), signage (group policies), a safe for valuables (network segmentation and encryption), a dog (firewall, network alarms, intrusion detection systems), video cameras (SIEM), perhaps a security guard (security consultants), and police activity reports (threat intelligence).
The analogy, Olsen said, can also be applied to people and policies. Individual keys are like password management, privileged access, and access control policies. You'll also have alarm system codes (role-based access and password management) and stranger danger awareness (security awareness training). You'd be wise to hold an annual fire drill (phishing exercises and an incident response plan), and it's just common sense to look who's at the door before you open it (role-based access and awareness training).
Everyone learns differently, Olsen stressed, and you should consider using a range of approaches to teaching that go beyond the deadly annual security refresher training. Consider newsletters, guides, breach examples, and podcasts, gamification and seminars, and use them throughout the year (he called this the "drip method").
And of course, cybersecurity is risk management.
If you don't understand the distinctive threats to your organization, and if you don't review your risk profile at least annually, Olsen concluded, you'll be wasting resources. Approach the challenge as an exercise in risk management, and involve your people in ways that will help them keep the organization secure.