…Working in an organization that isn’t allowed to change our cybersecurity posture.
Yes, that’s right. For the past year, I’ve been conducting research and analysis on cyber threat actors and events where we have (almost) no authority over our own cyber security situation – outside of day to day actions and mentality.
To say that it has been interesting would be an understatement – but ultimately in a very positive way. Let me explain my job role. My job is to ensure that those I am beholden to are aware of what threats exist to us as an organization. Not the greater “us” as a whole, but my department and our mission.
Communication is Critical
Knowing when not to speak is important. Knowing your audience and how to communicate the critical components to them appropriately is vital. There have been multiple cyber incidents in the past 365 days (SolarWinds being one of the largest), and being able to tell my leadership what happened, how it happened, and what could (or could NOT) have been done in plain language made me exponentially more valuable as an individual.
That last part can’t be understated, in plain language. As cyber security professionals, technical jargon can get the best of us, quickly, and in doing so it loses our audience. Use the resources available to you when you get asked questions by non technical people. Rather than waiting for clarifying questions, immediately grab a marker and start drawing. Start by discussing the relevant components, clarify attack flow in your narration of events, and if necessary discuss peripherals as a back-fill to show how others were more or less successful in mitigating impact. Don’t use language like “obviously”, it makes the listener feel like they should already know something. There’s a plethora of reading available on this topic, but
Communication leads to the next two points.
Structure Reporting
I’ve made it a habit to structure all of my slides, e-mails, or reports in one solid format:
- Context
- Event
- Risk and Future
This has allowed my audience to be able to quickly consume the information and know what they’re reading, and quickly get to the section that they want to repeat in the event it is being shared with others. By having some sort of template that doesn’t require an entire table of contents, my boss(es) know exactly where to look to get the details they need.
Without going too into the weeds on this one, I really just wanted to share the overall flow of data in my reporting and that it has been well received, and why. Come up with something that works for YOUR organization, and stick to it. Next up,
Be Concise
I don’t know about where everyone else works, or the amount of time that they get with the decision makers, but in my line of work the initial notification of information may have to be boiled down to a 30 to 60 second drive-by where you’re simply letting someone know that something happened, and it’s important that they know about it – before they’re blind sided.
Now, I want to make this clear: if something were to happen at our organization, my department was not going to be the party reporting it to the boss. I worked in threat intelligence, and making sure the boss knew what was out there.
Being able to catch their ear for a minute and summarize the who, what, where, when, why, and risk was key to keeping them in the loop and giving them the advantage of being able to summarily talk about an event if THEY were asked about it. Nothing hurts more than being asked questions about a major world event and having no insight on the situation. For that reason alone, preparing a note that you can simply hand to them and pass along or bullet points for a future discussion goes a long way. Oh yeah, I mentioned 5 W’s, but what about 5W+R?
Risk
Risk is more than just a board game. This is the part that every supervisor wants to know about. How does this come back to ME?
Take your time with this one. Collaborate, brain storm, and model different ways that a threat actor or event could come full circle and bite your institution. Maybe it’s through effects on your supply chain? Are your employees a potential target either at work or at home? On a broader scale, are partners less likely to outsource work to you or those you work with? Can the attack vector be modified to target your organization, and has that been demonstrated?
Risk is the one thing that cyber security professionals sometimes overlook, and instead focus on numbers of outstanding unpatched vulnerabilities, update rollouts, lack of employee awareness, and the infamous “we need more money!”. While there’s value in all of that, the only true way to make change is by addressing the risk, and offering up options. Yes, that’s plural.
There’s almost always an obvious solution: a firewall tweak here, updating software there, end-point mandates over here, whatever it may be. But what if a software update breaks everything else within the organization, what ELSE can be done? Maybe certain terminals can be isolated on another network? Limiting inbound/outbound network access? Try to offer up alternatives, especially in a fiscally or policy constrained environment. You’re not a victim, you’re an advocate. Advocate for positive strategies, and you will blossom like the pretty little flower that you are!
Okay, there’s so much more I’ve learned, but these are the key takeaways. After over a year of not publishing anything, I knew it was time to post something and share these ideas. If you have input, I want to hear about it. Tell me i’m wrong, I look forward to hearing about it!